darkcomet | 59a0e7d0bfcc51a30a03d8e593efc404c6c80293e8f130f34122a4fb2bcf3103

General

Target

2e0d91d2f53c8972b85474a0af5a4ccd.exe
Size

835KB
MD5

2e0d91d2f53c8972b85474a0af5a4ccd
SHA1

579424294f6b61994420553324262fa870122c28
SHA256

59a0e7d0bfcc51a30a03d8e593efc404c6c80293e8f130f34122a4fb2bcf3103
SHA512

d254b1b4a448840ab612c6ab4b370f519a00825988c8d9f61427a17cd847b884563d2209d01fd9d5729f381fcfc8bc51cca8450b5ea631a8b415c86e7910785e
SSDEEP

12288:94xkDWn1noBIR2ZWyJn5hKaPysbikwlc4FToFu8SMr23:9UpnfnyMaPysbiDO4ZoFu/v

Score

10^/10

darkcomet 0pf3rs_upd43t.v2 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

0pf3rS_uPd43T.v2

C2

dasistmeineip.no-ip.org:51337

Mutex

DCMIN_MUTEX-CCK1K0P

Attributes

InstallPath
WinRAR\WinRAR.exe
gencode
D2mEbEcEBi6r
install
true
offline_keylogger
true
persistence
false
reg_key
WinRAR

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\WinRAR.exe"	WINRAR32.EXE

Executes dropped EXE 2 IoCs

pid	Process
3004	WINRAR32.EXE
3052	WINRAR32.EXE

Loads dropped DLL 3 IoCs

pid	Process
2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe
2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe
3004	WINRAR32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\WinRAR\\WinRAR.exe"	WINRAR32.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 3052	3004	WINRAR32.EXE	19

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3052	WINRAR32.EXE
Token: SeSecurityPrivilege	3052	WINRAR32.EXE
Token: SeTakeOwnershipPrivilege	3052	WINRAR32.EXE
Token: SeLoadDriverPrivilege	3052	WINRAR32.EXE
Token: SeSystemProfilePrivilege	3052	WINRAR32.EXE
Token: SeSystemtimePrivilege	3052	WINRAR32.EXE
Token: SeProfSingleProcessPrivilege	3052	WINRAR32.EXE
Token: SeIncBasePriorityPrivilege	3052	WINRAR32.EXE
Token: SeCreatePagefilePrivilege	3052	WINRAR32.EXE
Token: SeBackupPrivilege	3052	WINRAR32.EXE
Token: SeRestorePrivilege	3052	WINRAR32.EXE
Token: SeShutdownPrivilege	3052	WINRAR32.EXE
Token: SeDebugPrivilege	3052	WINRAR32.EXE
Token: SeSystemEnvironmentPrivilege	3052	WINRAR32.EXE
Token: SeChangeNotifyPrivilege	3052	WINRAR32.EXE
Token: SeRemoteShutdownPrivilege	3052	WINRAR32.EXE
Token: SeUndockPrivilege	3052	WINRAR32.EXE
Token: SeManageVolumePrivilege	3052	WINRAR32.EXE
Token: SeImpersonatePrivilege	3052	WINRAR32.EXE
Token: SeCreateGlobalPrivilege	3052	WINRAR32.EXE
Token: 33	3052	WINRAR32.EXE
Token: 34	3052	WINRAR32.EXE
Token: 35	3052	WINRAR32.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3004	2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe	20
PID 2136 wrote to memory of 3004	2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe	20
PID 2136 wrote to memory of 3004	2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe	20
PID 2136 wrote to memory of 3004	2136	2e0d91d2f53c8972b85474a0af5a4ccd.exe	20
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19
PID 3004 wrote to memory of 3052	3004	WINRAR32.EXE	19

C:\Users\Admin\AppData\Local\Temp\2e0d91d2f53c8972b85474a0af5a4ccd.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d91d2f53c8972b85474a0af5a4ccd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\WINRAR32.EXE
  "C:\Users\Admin\AppData\Local\Temp\WINRAR32.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3004

C:\Users\Admin\AppData\Roaming\WinRAR\WinRAR.exe
"C:\Users\Admin\AppData\Roaming\WinRAR\WinRAR.exe"
1⤵
PID:2584

C:\Users\Admin\AppData\Roaming\WinRAR\WinRAR.exe
"C:\Users\Admin\AppData\Roaming\WinRAR\WinRAR.exe"
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\WINRAR32.EXE
"C:\Users\Admin\AppData\Local\Temp\WINRAR32.EXE"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WINRAR32.EXE

Filesize
92KB

MD5
5fc3b50a25602339a027e520c7e20c10

SHA1
b5393bfece8d51796f3a7d7884412a38e2757295

SHA256
57ecdcb606c565d3fb732e8cc13d6cb02077ffbb81e95236f5bbff918fc225ff

SHA512
bc71a71fac6d3bfafc927bcf1aa6f11d2fc87c9a871b87365b2c2cb47a760caf494bb5ef1b94cf3ce02dd12dd39f335a7d9e6120a11280a01420161f85df4eab

Download Submit
memory/2584-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-59-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2584-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2668-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3004-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3052-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-20-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-29-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3052-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3052-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads