darkcomet | 4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248

General

Target

4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Size

720KB
MD5

f5ec22b04ff24ba717ef4f7c567f8e52
SHA1

51bd7372c4f9d1b90f43d0f5d1d080bda770d043
SHA256

4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248
SHA512

0e5f67c8f45cf5c304fb7fc1601174a036d86fde6fdfee7d0efd2616d690fc6bd7fbafcd64ba749c9fe874eb31235bb161b9fd02bb63c550e0cd090f25ce9512
SSDEEP

12288:jrgXPhw9xGblYKJPa2dILqneS4+oVOcb9hd8qOFINneXFXgIv5VhmkQWNMf:4XOu9HIL9XOcb9hdNOFINeXb00Ne

Score

10^/10

darkcomet silk persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

silk

C2

chinahacking.zapto.org:1509

Mutex

DC_MUTEX-KGBE2JX

Attributes

gencode
BqtloSbbcP1S
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSecurityPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeTakeOwnershipPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeLoadDriverPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemProfilePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemtimePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeProfSingleProcessPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeIncBasePriorityPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeCreatePagefilePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeBackupPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeRestorePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeShutdownPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeDebugPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemEnvironmentPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeChangeNotifyPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeRemoteShutdownPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeUndockPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeManageVolumePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeImpersonatePrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeCreateGlobalPrivilege	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 33	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 34	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 35	636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
636	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1984	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	28
PID 2028 wrote to memory of 1984	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	28
PID 2028 wrote to memory of 1984	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	28
PID 2028 wrote to memory of 1984	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	28
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 1984 wrote to memory of 596	1984	cmd.exe	31
PID 1984 wrote to memory of 596	1984	cmd.exe	31
PID 1984 wrote to memory of 596	1984	cmd.exe	31
PID 1984 wrote to memory of 596	1984	cmd.exe	31
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 2028 wrote to memory of 636	2028	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	29
PID 596 wrote to memory of 1392	596	net.exe	32
PID 596 wrote to memory of 1392	596	net.exe	32
PID 596 wrote to memory of 1392	596	net.exe	32
PID 596 wrote to memory of 1392	596	net.exe	32

C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
"C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1392
- C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
  C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Filesize
720KB

MD5
f5ec22b04ff24ba717ef4f7c567f8e52

SHA1
51bd7372c4f9d1b90f43d0f5d1d080bda770d043

SHA256
4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248

SHA512
0e5f67c8f45cf5c304fb7fc1601174a036d86fde6fdfee7d0efd2616d690fc6bd7fbafcd64ba749c9fe874eb31235bb161b9fd02bb63c550e0cd090f25ce9512

Download Submit
\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Filesize
720KB

MD5
f5ec22b04ff24ba717ef4f7c567f8e52

SHA1
51bd7372c4f9d1b90f43d0f5d1d080bda770d043

SHA256
4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248

SHA512
0e5f67c8f45cf5c304fb7fc1601174a036d86fde6fdfee7d0efd2616d690fc6bd7fbafcd64ba749c9fe874eb31235bb161b9fd02bb63c550e0cd090f25ce9512

Download Submit
memory/636-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/636-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-75-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2028-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing