darkcomet | 00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

General

Target

02f7467c0a07153c0c9fec745a96f819.exe
Size

347KB
MD5

02f7467c0a07153c0c9fec745a96f819
SHA1

1f3b662f4597a97182134c542718a09ac14dbe53
SHA256

00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7
SHA512

13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4
SSDEEP

6144:T7L+PQIshf4BnYow5U7b7rSMauoLQF1I89lA:3issWUnShLQF1I89lA

Score

10^/10

darkcomet quasar ---trens--office2010 persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

---trens--

C2

qassar1122.ddns.net:2007

Mutex

QSR_MUTEX_MnRnXGbvBvn8Tkxj0A

Attributes

encryption_key
i4DXiO929iCJdpvsIcV3
install_name
Update service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
service update
subdirectory
microsofte

Extracted

Family

darkcomet

Botnet

office2010

C2

darck111.ddns.net:2006

Mutex

DCMIN_MUTEX-6C5K0B1

Attributes

gencode
v30h5qiY2jCx
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

nhVFeVcr7qtf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft\\iErRwYnFSDYb.exe\",explorer.exe"	nhVFeVcr7qtf.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-133-0x0000000000CB0000-0x0000000000D0E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe	family_quasar
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Update service.exenhVFeVcr7qtf.exe

pid process

3364 Update service.exe
5104 nhVFeVcr7qtf.exe

pid	process
3364	Update service.exe
5104	nhVFeVcr7qtf.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3120-164-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-165-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-166-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-171-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-172-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-173-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-174-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-175-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-177-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3120-180-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ip-api.com

flow	ioc
31	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

nhVFeVcr7qtf.exe

description	pid	process	target process
PID 5104 set thread context of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 set thread context of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

nhVFeVcr7qtf.exe

pid process

5104 nhVFeVcr7qtf.exe
5104 nhVFeVcr7qtf.exe

pid	process
5104	nhVFeVcr7qtf.exe
5104	nhVFeVcr7qtf.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exenhVFeVcr7qtf.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1492	02f7467c0a07153c0c9fec745a96f819.exe
Token: SeDebugPrivilege	3364	Update service.exe
Token: SeDebugPrivilege	5104	nhVFeVcr7qtf.exe
Token: SeDebugPrivilege	5104	nhVFeVcr7qtf.exe
Token: SeIncreaseQuotaPrivilege	3120	vbc.exe
Token: SeSecurityPrivilege	3120	vbc.exe
Token: SeTakeOwnershipPrivilege	3120	vbc.exe
Token: SeLoadDriverPrivilege	3120	vbc.exe
Token: SeSystemProfilePrivilege	3120	vbc.exe
Token: SeSystemtimePrivilege	3120	vbc.exe
Token: SeProfSingleProcessPrivilege	3120	vbc.exe
Token: SeIncBasePriorityPrivilege	3120	vbc.exe
Token: SeCreatePagefilePrivilege	3120	vbc.exe
Token: SeBackupPrivilege	3120	vbc.exe
Token: SeRestorePrivilege	3120	vbc.exe
Token: SeShutdownPrivilege	3120	vbc.exe
Token: SeDebugPrivilege	3120	vbc.exe
Token: SeSystemEnvironmentPrivilege	3120	vbc.exe
Token: SeChangeNotifyPrivilege	3120	vbc.exe
Token: SeRemoteShutdownPrivilege	3120	vbc.exe
Token: SeUndockPrivilege	3120	vbc.exe
Token: SeManageVolumePrivilege	3120	vbc.exe
Token: SeImpersonatePrivilege	3120	vbc.exe
Token: SeCreateGlobalPrivilege	3120	vbc.exe
Token: 33	3120	vbc.exe
Token: 34	3120	vbc.exe
Token: 35	3120	vbc.exe
Token: 36	3120	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Update service.exevbc.exe

pid process

3364 Update service.exe
3120 vbc.exe

pid	process
3364	Update service.exe
3120	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

02f7467c0a07153c0c9fec745a96f819.exeUpdate service.exenhVFeVcr7qtf.exe

description	pid	process	target process
PID 1492 wrote to memory of 3364	1492	02f7467c0a07153c0c9fec745a96f819.exe	Update service.exe
PID 1492 wrote to memory of 3364	1492	02f7467c0a07153c0c9fec745a96f819.exe	Update service.exe
PID 3364 wrote to memory of 5104	3364	Update service.exe	nhVFeVcr7qtf.exe
PID 3364 wrote to memory of 5104	3364	Update service.exe	nhVFeVcr7qtf.exe
PID 3364 wrote to memory of 5104	3364	Update service.exe	nhVFeVcr7qtf.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe
PID 5104 wrote to memory of 3120	5104	nhVFeVcr7qtf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe
"C:\Users\Admin\AppData\Local\Temp\02f7467c0a07153c0c9fec745a96f819.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
"C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe
"C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe
Filesize
319KB

MD5
d169379916ed45abc121718178790513

SHA1
c5b982c73df7dec5c5cfc1ee3acecafb379aa8bd

SHA256
94afb32fa27d53f20922559b6008b7ec96dfd250f13033a7c8f8e4fb13a52f6d

SHA512
16b12976d0c4951298c6568293163330bad09369934cb5f87a37a6b24d304d3f2008b7c14f8dc02fab6763095463bb5ed54509b1e1c3280347357fa0c230455d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe
Filesize
477KB

MD5
1fd62f0d8cb4161c12a24d77898d2765

SHA1
33987a52f38511d3224f37f1ecd21383741418b8

SHA256
97312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5

SHA512
595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhVFeVcr7qtf.exe
Filesize
477KB

MD5
1fd62f0d8cb4161c12a24d77898d2765

SHA1
33987a52f38511d3224f37f1ecd21383741418b8

SHA256
97312398386d457b935b24023b83c742f879874c2873c17efa34e3f79a185fc5

SHA512
595fe25a614c6e8b9693b23895f0b324858e6d20b43bb4d651effef565a969430db4b7a85e706289fd1b49574ff7239aec96156b8c5e0883850927050e935077

Download Submit
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
Filesize
347KB

MD5
02f7467c0a07153c0c9fec745a96f819

SHA1
1f3b662f4597a97182134c542718a09ac14dbe53

SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4

Download Submit
C:\Users\Admin\AppData\Roaming\microsofte\Update service.exe
Filesize
347KB

MD5
02f7467c0a07153c0c9fec745a96f819

SHA1
1f3b662f4597a97182134c542718a09ac14dbe53

SHA256
00c4b01417f71763724949ffb123875e62fb8e79ce17ae1ab224acb9261221c7

SHA512
13d8ce07b201b74a648319f6a9cb20761ea1be819b915aa5d6b5112dbb31f693e777cc800b529f12737945844d411e1c2d9614be11e129561017cb34738010a4

Download Submit
memory/1492-134-0x000000001C5A0000-0x000000001C5B0000-memory.dmp

Filesize
64KB

Download
memory/1492-135-0x000000001C540000-0x000000001C552000-memory.dmp

Filesize
72KB

Download
memory/1492-136-0x000000001DC70000-0x000000001DCAC000-memory.dmp

Filesize
240KB

Download
memory/1492-143-0x000000001B770000-0x000000001B8BE000-memory.dmp

Filesize
1.3MB

Download
memory/1492-133-0x0000000000CB0000-0x0000000000D0E000-memory.dmp

Filesize
376KB

Download
memory/3120-176-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3120-173-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-177-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-180-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-175-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-174-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-164-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-165-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-166-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-171-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3120-172-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3364-144-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3364-161-0x000000001ACB0000-0x000000001ADFE000-memory.dmp

Filesize
1.3MB

Download
memory/3364-148-0x000000001ACB0000-0x000000001ADFE000-memory.dmp

Filesize
1.3MB

Download
memory/3364-147-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/3364-146-0x000000001ACB0000-0x000000001ADFE000-memory.dmp

Filesize
1.3MB

Download
memory/5104-160-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/5104-179-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads