darkcomet | 00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

General

Target

02f7467c0a07153c0c9fec745a96f819.exe
Size

347KB
MD5

02f7467c0a07153c0c9fec745a96f819
SHA1

1f3b662f4597a97182134c542718a09ac14dbe53
SHA256

00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA512

13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
SSDEEP

6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA

Score

10^/10

darkcomet quasar ---trens--office2010 persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

---trens--

C2

qassar1122.ddns.net:2007

Mutex

QSR_MUTEX_MnRnXGbvBvn8Tkxj0A

Attributes

encryption_key
i4DXiO929iCJdpvsIcV3
install_name
Update service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service update
subdirectory
microsofte

Extracted

Family

darkcomet

Botnet

office2010

C2

darck111.ddns.net:2006

Mutex

DCMIN_MUTEX-6C5K0B1

Attributes

gencode
v30h5qiY2jCx
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

M2kZrx0Y7oeB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\L4PNd7cQoiGt.exe\",explorer.exe"	M2kZrx0Y7oeB.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-54-0x0000000000C60000-0x0000000000CBE000-memory.dmp	family_quasar
behavioral1/memory/1992-55-0x000000001A910000-0x000000001A990000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe	family_quasar
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe	family_quasar
behavioral1/memory/1736-61-0x00000000002D0000-0x000000000032E000-memory.dmp	family_quasar
behavioral1/memory/1736-62-0x000000001AF70000-0x000000001AFF0000-memory.dmp	family_quasar
behavioral1/memory/1736-64-0x000000001AF70000-0x000000001AFF0000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Update service.exeM2kZrx0Y7oeB.exe

pid process

1736 Update service.exe
1828 M2kZrx0Y7oeB.exe

pid	process
1736	Update service.exe
1828	M2kZrx0Y7oeB.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1184-81-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-82-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-84-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-86-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-87-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-103-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-104-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-105-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-106-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1184-108-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

M2kZrx0Y7oeB.exe

description	pid	process	target process
PID 1828 set thread context of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 set thread context of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 set thread context of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

M2kZrx0Y7oeB.exe

pid process

1828 M2kZrx0Y7oeB.exe
1828 M2kZrx0Y7oeB.exe

pid	process
1828	M2kZrx0Y7oeB.exe
1828	M2kZrx0Y7oeB.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exeM2kZrx0Y7oeB.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1992	02f7467c0a07153c0c9fec745a96f819.exe
Token: SeDebugPrivilege	1736	Update service.exe
Token: SeDebugPrivilege	1828	M2kZrx0Y7oeB.exe
Token: SeDebugPrivilege	1828	M2kZrx0Y7oeB.exe
Token: SeIncreaseQuotaPrivilege	1184	vbc.exe
Token: SeSecurityPrivilege	1184	vbc.exe
Token: SeTakeOwnershipPrivilege	1184	vbc.exe
Token: SeLoadDriverPrivilege	1184	vbc.exe
Token: SeSystemProfilePrivilege	1184	vbc.exe
Token: SeSystemtimePrivilege	1184	vbc.exe
Token: SeProfSingleProcessPrivilege	1184	vbc.exe
Token: SeIncBasePriorityPrivilege	1184	vbc.exe
Token: SeCreatePagefilePrivilege	1184	vbc.exe
Token: SeBackupPrivilege	1184	vbc.exe
Token: SeRestorePrivilege	1184	vbc.exe
Token: SeShutdownPrivilege	1184	vbc.exe
Token: SeDebugPrivilege	1184	vbc.exe
Token: SeSystemEnvironmentPrivilege	1184	vbc.exe
Token: SeChangeNotifyPrivilege	1184	vbc.exe
Token: SeRemoteShutdownPrivilege	1184	vbc.exe
Token: SeUndockPrivilege	1184	vbc.exe
Token: SeManageVolumePrivilege	1184	vbc.exe
Token: SeImpersonatePrivilege	1184	vbc.exe
Token: SeCreateGlobalPrivilege	1184	vbc.exe
Token: 33	1184	vbc.exe
Token: 34	1184	vbc.exe
Token: 35	1184	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Update service.exevbc.exe

pid process

1736 Update service.exe
1184 vbc.exe

pid	process
1736	Update service.exe
1184	vbc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exeM2kZrx0Y7oeB.exe

description	pid	process	target process
PID 1992 wrote to memory of 1736	1992	02f7467c0a07153c0c9fec745a96f819.exe	Update service.exe
PID 1992 wrote to memory of 1736	1992	02f7467c0a07153c0c9fec745a96f819.exe	Update service.exe
PID 1992 wrote to memory of 1736	1992	02f7467c0a07153c0c9fec745a96f819.exe	Update service.exe
PID 1736 wrote to memory of 1828	1736	Update service.exe	M2kZrx0Y7oeB.exe
PID 1736 wrote to memory of 1828	1736	Update service.exe	M2kZrx0Y7oeB.exe
PID 1736 wrote to memory of 1828	1736	Update service.exe	M2kZrx0Y7oeB.exe
PID 1736 wrote to memory of 1828	1736	Update service.exe	M2kZrx0Y7oeB.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe
PID 1828 wrote to memory of 1184	1828	M2kZrx0Y7oeB.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe
"C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
"C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe
"C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe
Filesize
319KB

MD5
d169379916ed45abc121718178790513

SHA1
c5b982c73df7dec5c5cfc1ee3acecafb379aa8bd

SHA256
94afb32fa27d53f20922559b6008b7ec96dfd250f13033a7c8f8e4fb13a52f6d

SHA512
16b12976d0c4951298c6568293163330bad09369934cb5f87a37a6b24d304d3f2008b7c14f8dc02fab6763095463bb5ed54509b1e1c3280347357fa0c230455d

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe
Filesize
477KB

MD5
1fd62f0d8cb4161c12a24d77898d2765

SHA1
33987a52f38511d3224f37f1ecd21383741418b8

SHA256
97312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5

SHA512
595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2kZrx0Y7oeB.exe
Filesize
477KB

MD5
1fd62f0d8cb4161c12a24d77898d2765

SHA1
33987a52f38511d3224f37f1ecd21383741418b8

SHA256
97312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5

SHA512
595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077

Download Submit
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
Filesize
347KB

MD5
02f7467c0a07153c0c9fec745a96f819

SHA1
1f3b662f4597a97182134c542718a09ac14dbe53

SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4

Download Submit
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
Filesize
347KB

MD5
02f7467c0a07153c0c9fec745a96f819

SHA1
1f3b662f4597a97182134c542718a09ac14dbe53

SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4

Download Submit
memory/1184-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1184-86-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-108-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-107-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1184-106-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-105-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-104-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-103-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-87-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1184-96-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1184-92-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1184-88-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1184-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1736-64-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1736-61-0x00000000002D0000-0x000000000032E000-memory.dmp

Filesize
376KB

Download
memory/1736-62-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1828-77-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/1828-109-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/1992-54-0x0000000000C60000-0x0000000000CBE000-memory.dmp

Filesize
376KB

Download
memory/1992-55-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads