darkcomet | 37e14b6407dd954e97c9aa70b7ef6a1507bda4a1037bcda79a72fd20d7602576

General

Target

515c8739e2d50564c66b44bee231a44e.exe
Size

864KB
MD5

515c8739e2d50564c66b44bee231a44e
SHA1

80e84ad7c09a2ea07da7a58bd5eb6190e9770d75
SHA256

37e14b6407dd954e97c9aa70b7ef6a1507bda4a1037bcda79a72fd20d7602576
SHA512

8ee33724d97c9b29e9777ddf10b2e44384597e6488682f6c64604ff82b2c799f485d6cb24109f842f10f2a82f1b2f45e6a05c91e2581cd724cfb09cbcb3f0801
SSDEEP

12288:tQqzctd6LDEjG9EP4ORTarqSBJVIjlVOeMfPA9gwJP24HMvC1IDoiEo:SL69lOlaX6jXtMQ9hJP24HMwsr/

Score

10^/10

darkcomet slave rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

vasilisth.no-ip.org:6106

vasilisth.no-ip.org:6061

steamc.servegame.com:6061

steamc.servegame.com:6106

steamc.servegame.com:4445

vasilisth.no-ip.org:4445

Mutex

MicrosofWindowsXPVis778Mutx

Attributes

gencode
q5JNtHnx4Yyq
install
false
offline_keylogger
true
password
hacker100~
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Drops startup file 2 IoCs

Processes:

515c8739e2d50564c66b44bee231a44e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{Binda}.exe	515c8739e2d50564c66b44bee231a44e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{Binda}.exe	515c8739e2d50564c66b44bee231a44e.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4656-6-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-5-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-17-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-19-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-28-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4656-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops desktop.ini file(s) 2 IoCs

Processes:

515c8739e2d50564c66b44bee231a44e.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	515c8739e2d50564c66b44bee231a44e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	515c8739e2d50564c66b44bee231a44e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

515c8739e2d50564c66b44bee231a44e.exe

description pid process target process

PID 4132 set thread context of 4656 4132 515c8739e2d50564c66b44bee231a44e.exe vbc.exe

description	pid	process	target process
PID 4132 set thread context of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe

Drops file in Windows directory 3 IoCs

Processes:

515c8739e2d50564c66b44bee231a44e.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	515c8739e2d50564c66b44bee231a44e.exe
File created	C:\Windows\assembly\Desktop.ini	515c8739e2d50564c66b44bee231a44e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	515c8739e2d50564c66b44bee231a44e.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4656	vbc.exe
Token: SeSecurityPrivilege	4656	vbc.exe
Token: SeTakeOwnershipPrivilege	4656	vbc.exe
Token: SeLoadDriverPrivilege	4656	vbc.exe
Token: SeSystemProfilePrivilege	4656	vbc.exe
Token: SeSystemtimePrivilege	4656	vbc.exe
Token: SeProfSingleProcessPrivilege	4656	vbc.exe
Token: SeIncBasePriorityPrivilege	4656	vbc.exe
Token: SeCreatePagefilePrivilege	4656	vbc.exe
Token: SeBackupPrivilege	4656	vbc.exe
Token: SeRestorePrivilege	4656	vbc.exe
Token: SeShutdownPrivilege	4656	vbc.exe
Token: SeDebugPrivilege	4656	vbc.exe
Token: SeSystemEnvironmentPrivilege	4656	vbc.exe
Token: SeChangeNotifyPrivilege	4656	vbc.exe
Token: SeRemoteShutdownPrivilege	4656	vbc.exe
Token: SeUndockPrivilege	4656	vbc.exe
Token: SeManageVolumePrivilege	4656	vbc.exe
Token: SeImpersonatePrivilege	4656	vbc.exe
Token: SeCreateGlobalPrivilege	4656	vbc.exe
Token: 33	4656	vbc.exe
Token: 34	4656	vbc.exe
Token: 35	4656	vbc.exe
Token: 36	4656	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4656 vbc.exe

pid	process
4656	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

515c8739e2d50564c66b44bee231a44e.exe

description	pid	process	target process
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe
PID 4132 wrote to memory of 4656	4132	515c8739e2d50564c66b44bee231a44e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\515c8739e2d50564c66b44bee231a44e.exe
"C:\Users\Admin\AppData\Local\Temp\515c8739e2d50564c66b44bee231a44e.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4132-12-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4132-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4132-0-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4132-1-0x0000000001830000-0x0000000001840000-memory.dmp

Filesize
64KB

Download
memory/4656-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-5-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-6-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-13-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4656-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads