darkcomet | 6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672

General

Target

075448d611663baa510daefcb583469a.exe
Size

548KB
MD5

075448d611663baa510daefcb583469a
SHA1

c523655c92dbcc28b1a1fb2dd1f95e4333597f49
SHA256

6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
SHA512

4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
SSDEEP

12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO

Score

10^/10

darkcomet slave persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

darkcometramon.zapto.org:1604

Mutex

DC_MUTEX-WACNQ32

Attributes

InstallPath
MSDCSC\Update.exe
gencode
1Zo5tGcdvz3w
install
true
offline_keylogger
true
persistence
false
reg_key
WindowsUpdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

vbc.exeUpdate.exe

pid process

2436 vbc.exe
2836 Update.exe
Loads dropped DLL 2 IoCs

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

pid process

2668 075448d611663baa510daefcb583469a.exe
2436 vbc.exe

pid	process
2436	vbc.exe
2836	Update.exe

pid	process
2668	075448d611663baa510daefcb583469a.exe
2436	vbc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2436-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-19-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2436-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe075448d611663baa510daefcb583469a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe"	075448d611663baa510daefcb583469a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

075448d611663baa510daefcb583469a.exe

description pid process target process

PID 2668 set thread context of 2436 2668 075448d611663baa510daefcb583469a.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2668 set thread context of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2436	vbc.exe
Token: SeSecurityPrivilege	2436	vbc.exe
Token: SeTakeOwnershipPrivilege	2436	vbc.exe
Token: SeLoadDriverPrivilege	2436	vbc.exe
Token: SeSystemProfilePrivilege	2436	vbc.exe
Token: SeSystemtimePrivilege	2436	vbc.exe
Token: SeProfSingleProcessPrivilege	2436	vbc.exe
Token: SeIncBasePriorityPrivilege	2436	vbc.exe
Token: SeCreatePagefilePrivilege	2436	vbc.exe
Token: SeBackupPrivilege	2436	vbc.exe
Token: SeRestorePrivilege	2436	vbc.exe
Token: SeShutdownPrivilege	2436	vbc.exe
Token: SeDebugPrivilege	2436	vbc.exe
Token: SeSystemEnvironmentPrivilege	2436	vbc.exe
Token: SeChangeNotifyPrivilege	2436	vbc.exe
Token: SeRemoteShutdownPrivilege	2436	vbc.exe
Token: SeUndockPrivilege	2436	vbc.exe
Token: SeManageVolumePrivilege	2436	vbc.exe
Token: SeImpersonatePrivilege	2436	vbc.exe
Token: SeCreateGlobalPrivilege	2436	vbc.exe
Token: 33	2436	vbc.exe
Token: 34	2436	vbc.exe
Token: 35	2436	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

description	pid	process	target process
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2668 wrote to memory of 2436	2668	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe
PID 2436 wrote to memory of 2836	2436	vbc.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe
"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"
3⤵
- Executes dropped EXE
PID:2836

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
599KB

MD5
6dcc16b60b937c4369e029c55105f436

SHA1
99f56934b570f60253f006bc2a831ab19767c82c

SHA256
773a87e783703f39b4e63158a1dcfef35e4583f6dd62180a2a8d45ca8b191d20

SHA512
7e1352886d04f0822ed66c6120af155f2dd1fb2868d9516379ae8df08c78f8e2441ecece51fe5e54710cdc7da9a46f1ca0cea8e250b3eb77b4d73feda34b07ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
231KB

MD5
5d36a703b589ba58eb1d63eec2951d15

SHA1
73254a61c2f0bb36012eae547f6dcbee00ea54e4

SHA256
a10940a8ff9c5956e63ce418595cf867030c29a2b9cc9fea10aad19887b60563

SHA512
c8b8ef41fb4b59b2f86b7a4eadc1e9dd9cb984376b4c256a627e0d6eb62785d146095669e1a5704a6b2ed8619f655993ef54dda2a8feacaf1705bce7206a4e08

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
167KB

MD5
2340e61d4874052d2d1d360f95b7a733

SHA1
3ff2bcbc4d2f919cc3b26ac55e2021afa2e81723

SHA256
4a110c574db45c64f6aa4106861e3b9873ec5aa127f2ba833e54fd9faf4f2a56

SHA512
ad3347ce5040dc2cb9719672b1964068a29992fda5744824267f6825cfe39b47500a53b9f0d83ecbfa7a3d8f76a41933150bc2e1e83378af56a6842f53b11018

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
444KB

MD5
a53a95adcef19717a57f3901b198c265

SHA1
3e71962af0698c48e58febb4cbeb90dcef33e614

SHA256
7b9bb56bd1de872740e424ee3a450dbcd940faab42465851be7ad407024db1d4

SHA512
aa04ecf6aec98653f115732245fffe0832d446fc0fae920a346133ddb2e5e4bb4a483078e090a914ff8b7a023693b42d409477f538dae9b112468b482a4ddc8c

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
350KB

MD5
5a894af884e1f42f39abbe4e8b55acd7

SHA1
06430df9e49bc099c83f7005752ee83a8a754ff7

SHA256
173d37af32b02f2d1274a7e6de8093a61e9037f5ef85dc2c7eff11ee6b8242ab

SHA512
6c941d5130f029039a12ce8da019737c7784c685c68a1776b57aeaddb3cd9b1f1a4e2c54c0c00181b10877a72fffc08fbb8eac31fa6f7259b7da04314629f44e

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
986KB

MD5
76a48c74b566a995edd6fd2a5c45e6e6

SHA1
1eed56446df3c465a2a8cf2167dd75822a990e19

SHA256
70e16fb0ee9014a105fbf3e103e303fb2ab885457d7b3654a4d18eac0e6a8f6a

SHA512
418b18cfad96fc0008f6060a7d16b030f9bd0ed3bdc58f87a18d2ac82ec6e0aa0bc758991cafda172aff9fc68ee90ba3aa2b06d0cedb26f531eb07064e1d2bc9

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
361KB

MD5
970a1ee386d518de3dba0b1720ba17f8

SHA1
41a0fb50674d9ef42aaca180d27224c987c8b676

SHA256
256e21e0e69d751cdbc5c7ea77b52e91533fdccec442f2aa9dd353ed97545073

SHA512
fe5717a6b7bc1fe6294b0a25d65d97e3949300a162f70a992f495f19f297b5031934f98b26f8adeb5cec17987b7ad201c142046d4297ef9bee07bcf76f016b65

Download Submit
memory/2436-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-9-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-24-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2436-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2436-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2668-20-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-2-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2668-1-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-0-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads