darkcomet | c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d

General

Target

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe
Size

955KB
MD5

3aba0561bac692088a8124497b10bcc7
SHA1

d4bd0472181a1fd571b4524208bc10da22901b80
SHA256

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d
SHA512

844d49380b6c47f0295f33d2282aa9b0d877b5bea990a45c05530ef314bf0d7d060d4587895db944e4ca2688ea492d9863d96cf9bb19cb07a511fa88d7731a86
SSDEEP

24576:rdUvg0chwTjvBIvwaZQJniuL9W0pesrdc4jvU:rpKGoayZtd5nD

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet-reborn.no-ip.org:80

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
V7o8b6zx0d0d
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Local\\Temp\\win.exe"	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exevbc.exe

description	pid	process	target process
PID 536 set thread context of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1368 set thread context of 1528	1368	vbc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1368	vbc.exe
Token: SeSecurityPrivilege	1368	vbc.exe
Token: SeTakeOwnershipPrivilege	1368	vbc.exe
Token: SeLoadDriverPrivilege	1368	vbc.exe
Token: SeSystemProfilePrivilege	1368	vbc.exe
Token: SeSystemtimePrivilege	1368	vbc.exe
Token: SeProfSingleProcessPrivilege	1368	vbc.exe
Token: SeIncBasePriorityPrivilege	1368	vbc.exe
Token: SeCreatePagefilePrivilege	1368	vbc.exe
Token: SeBackupPrivilege	1368	vbc.exe
Token: SeRestorePrivilege	1368	vbc.exe
Token: SeShutdownPrivilege	1368	vbc.exe
Token: SeDebugPrivilege	1368	vbc.exe
Token: SeSystemEnvironmentPrivilege	1368	vbc.exe
Token: SeChangeNotifyPrivilege	1368	vbc.exe
Token: SeRemoteShutdownPrivilege	1368	vbc.exe
Token: SeUndockPrivilege	1368	vbc.exe
Token: SeManageVolumePrivilege	1368	vbc.exe
Token: SeImpersonatePrivilege	1368	vbc.exe
Token: SeCreateGlobalPrivilege	1368	vbc.exe
Token: 33	1368	vbc.exe
Token: 34	1368	vbc.exe
Token: 35	1368	vbc.exe
Token: 36	1368	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exevbc.exe

description	pid	process	target process
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 536 wrote to memory of 1368	536	c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe	vbc.exe
PID 1368 wrote to memory of 1528	1368	vbc.exe	iexplore.exe
PID 1368 wrote to memory of 1528	1368	vbc.exe	iexplore.exe
PID 1368 wrote to memory of 1528	1368	vbc.exe	iexplore.exe
PID 1368 wrote to memory of 1528	1368	vbc.exe	iexplore.exe
PID 1368 wrote to memory of 1528	1368	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe
"C:\Users\Admin\AppData\Local\Temp\c4648dcf38c8be2bd5014fb81c55fb5c29da969ebdea8bee8831c273a966657d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-132-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/536-137-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/1368-133-0x0000000000000000-mapping.dmp

Download
memory/1368-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1368-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1368-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1368-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1368-139-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads