darkcomet | 34a7e2ae2fcc13123fc013b7848c4832879cc4095dd1a9abd4b51e7e4181d97c

General

Target

5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Size

6.9MB
MD5

5cc7988d8c232b5cf79f18a102783dc0
SHA1

4885b54a9d4cb1ded609b2f08e7a04c93e515eba
SHA256

34a7e2ae2fcc13123fc013b7848c4832879cc4095dd1a9abd4b51e7e4181d97c
SHA512

667c13613502dcea3b1706b6cb06f5c91196bb830734bdce3f25628820e95f5424200dd47cf94938b6fca3c584b35ad27f391d7d23ac921ef388c60a692a7c65
SSDEEP

6144:6t2Ic0GfHIUWA0rJ5b7gvq5eyzaM+zN00qFTaUfwUY2z9GAR2OWq7me:6t24G8fQtk+B00ODfXZGGWwme

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.56.1:1604

Mutex

DC_MUTEX-AZQPD9H

Attributes

gencode
MRV9Pgf6cfGj
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	StubSoftware.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	StubSoftware.exe
4580	aha.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022889-25.dat	upx
behavioral2/files/0x0002000000022889-30.dat	upx
behavioral2/memory/4580-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/files/0x0002000000022889-32.dat	upx
behavioral2/memory/4580-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4580-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4580-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4580-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4580-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	StubSoftware.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4844	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Token: SeIncreaseQuotaPrivilege	4580	aha.exe
Token: SeSecurityPrivilege	4580	aha.exe
Token: SeTakeOwnershipPrivilege	4580	aha.exe
Token: SeLoadDriverPrivilege	4580	aha.exe
Token: SeSystemProfilePrivilege	4580	aha.exe
Token: SeSystemtimePrivilege	4580	aha.exe
Token: SeProfSingleProcessPrivilege	4580	aha.exe
Token: SeIncBasePriorityPrivilege	4580	aha.exe
Token: SeCreatePagefilePrivilege	4580	aha.exe
Token: SeBackupPrivilege	4580	aha.exe
Token: SeRestorePrivilege	4580	aha.exe
Token: SeShutdownPrivilege	4580	aha.exe
Token: SeDebugPrivilege	4580	aha.exe
Token: SeSystemEnvironmentPrivilege	4580	aha.exe
Token: SeChangeNotifyPrivilege	4580	aha.exe
Token: SeRemoteShutdownPrivilege	4580	aha.exe
Token: SeUndockPrivilege	4580	aha.exe
Token: SeManageVolumePrivilege	4580	aha.exe
Token: SeImpersonatePrivilege	4580	aha.exe
Token: SeCreateGlobalPrivilege	4580	aha.exe
Token: 33	4580	aha.exe
Token: 34	4580	aha.exe
Token: 35	4580	aha.exe
Token: 36	4580	aha.exe
Token: SeDebugPrivilege	3160	StubSoftware.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4580	aha.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 3160	3236	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	82
PID 3236 wrote to memory of 3160	3236	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	82
PID 3236 wrote to memory of 3160	3236	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	82
PID 3160 wrote to memory of 4580	3160	StubSoftware.exe	84
PID 3160 wrote to memory of 4580	3160	StubSoftware.exe	84
PID 3160 wrote to memory of 4580	3160	StubSoftware.exe	84
PID 3160 wrote to memory of 4844	3160	StubSoftware.exe	85
PID 3160 wrote to memory of 4844	3160	StubSoftware.exe	85
PID 3160 wrote to memory of 4844	3160	StubSoftware.exe	85

C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe
  "C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\aha.exe
    "C:\Users\Admin\AppData\Local\Temp\aha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4580
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\benikoy.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
344KB

MD5
1eddb798932c03c648f979280f1eaef0

SHA1
33aa6a523e7dcf606904da08fa05be7a124d1b63

SHA256
e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0

SHA512
047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
344KB

MD5
1eddb798932c03c648f979280f1eaef0

SHA1
33aa6a523e7dcf606904da08fa05be7a124d1b63

SHA256
e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0

SHA512
047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
344KB

MD5
1eddb798932c03c648f979280f1eaef0

SHA1
33aa6a523e7dcf606904da08fa05be7a124d1b63

SHA256
e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0

SHA512
047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\benikoy.txt

Filesize
41B

MD5
fd7e8e2625a01067bda87e6d8ca5925a

SHA1
9758ba9764e2f2383a5a5d83eae5e7c56ac6d14d

SHA256
74169b65c8bcb49612b2473f1be2547ac7b6e6e4cd515850f3010a191a96e466

SHA512
40edde31b10e33d41c035998d4169eedbbc1711fca6a5a30a9676ddb756fce5ced7879ee3e91dd0d27c38402d45d8777199d1b8a8495c969d1af9277bc97a0f3

Download Submit
memory/3160-20-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/3160-16-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3160-17-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/3160-18-0x00000000049C0000-0x0000000004A52000-memory.dmp

Filesize
584KB

Download
memory/3160-19-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/3160-36-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3160-15-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/3236-2-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/3236-13-0x00007FFEB4E80000-0x00007FFEB5941000-memory.dmp

Filesize
10.8MB

Download
memory/3236-0-0x0000000000A70000-0x0000000000ACE000-memory.dmp

Filesize
376KB

Download
memory/3236-1-0x00007FFEB4E80000-0x00007FFEB5941000-memory.dmp

Filesize
10.8MB

Download
memory/4580-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4580-35-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4580-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4580-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4580-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4580-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4580-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing