darkcomet | 6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672

General

Target

075448d611663baa510daefcb583469a.exe
Size

548KB
MD5

075448d611663baa510daefcb583469a
SHA1

c523655c92dbcc28b1a1fb2dd1f95e4333597f49
SHA256

6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
SHA512

4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
SSDEEP

12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO

Score

10^/10

darkcomet slave persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

darkcometramon.zapto.org:1604

Mutex

DC_MUTEX-WACNQ32

Attributes

InstallPath
MSDCSC\Update.exe
gencode
1Zo5tGcdvz3w
install
true
offline_keylogger
true
persistence
false
reg_key
WindowsUpdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

vbc.exeUpdate.exe

pid process

2760 vbc.exe
2560 Update.exe
Loads dropped DLL 2 IoCs

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

pid process

2876 075448d611663baa510daefcb583469a.exe
2760 vbc.exe

pid	process
2760	vbc.exe
2560	Update.exe

pid	process
2876	075448d611663baa510daefcb583469a.exe
2760	vbc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2760-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-19-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-21-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2760-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe"	075448d611663baa510daefcb583469a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

075448d611663baa510daefcb583469a.exe

description pid process target process

PID 2876 set thread context of 2760 2876 075448d611663baa510daefcb583469a.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2876 set thread context of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2760	vbc.exe
Token: SeSecurityPrivilege	2760	vbc.exe
Token: SeTakeOwnershipPrivilege	2760	vbc.exe
Token: SeLoadDriverPrivilege	2760	vbc.exe
Token: SeSystemProfilePrivilege	2760	vbc.exe
Token: SeSystemtimePrivilege	2760	vbc.exe
Token: SeProfSingleProcessPrivilege	2760	vbc.exe
Token: SeIncBasePriorityPrivilege	2760	vbc.exe
Token: SeCreatePagefilePrivilege	2760	vbc.exe
Token: SeBackupPrivilege	2760	vbc.exe
Token: SeRestorePrivilege	2760	vbc.exe
Token: SeShutdownPrivilege	2760	vbc.exe
Token: SeDebugPrivilege	2760	vbc.exe
Token: SeSystemEnvironmentPrivilege	2760	vbc.exe
Token: SeChangeNotifyPrivilege	2760	vbc.exe
Token: SeRemoteShutdownPrivilege	2760	vbc.exe
Token: SeUndockPrivilege	2760	vbc.exe
Token: SeManageVolumePrivilege	2760	vbc.exe
Token: SeImpersonatePrivilege	2760	vbc.exe
Token: SeCreateGlobalPrivilege	2760	vbc.exe
Token: 33	2760	vbc.exe
Token: 34	2760	vbc.exe
Token: 35	2760	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

description	pid	process	target process
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2876 wrote to memory of 2760	2876	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe
PID 2760 wrote to memory of 2560	2760	vbc.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe
"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"
3⤵
- Executes dropped EXE
PID:2560

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
538KB

MD5
ba07f88539f8228bf1dec2e49db44c93

SHA1
9f5754b92b7d7995e18c69333ad88dfd946dc87b

SHA256
89ea45527349edd4f8d29005101f8e054b740f47fe3cddbe8b270aca78540576

SHA512
b201b1a16780ca02a8522cecacfe197ef10b96c71298ba838f674c59db0234d81aaf81c9126d7c047edb26131a229efcc2307f3a8d368be841a7e0cdd6c8a99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
280KB

MD5
d2a998e3e082ef6c6959a3147316e334

SHA1
ac6f78dc3b743606bb782a6ed7e11cb8a2027dcd

SHA256
d3cb9258c16a00f721131280f2a377483492136151a3eeee6d4e62c3a92e506d

SHA512
c81ffc520b92fdaf1164f82a505f7d3511bd2b314a244d314790f53a337688d2dfda317a56c851f84392952a6a871cc8778c01b51bc319a279c2a88b091b2795

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
260KB

MD5
d4ac18673e0c2c4b65de91c1cde98381

SHA1
a87aa33819bf32efd3c6ef09ee6302e2baa58d41

SHA256
5a164d9ecd8a964ddb589a9a2395d8994f0f191977299d50ee986699140711a4

SHA512
dccb1cc3123645b32ae8204daa03f40c430bc132149f56a55e53d337ca3b80350ad631ee7dd81599ba68a355e4bcb4d6788e58d5e2047fa22907a22284a296a9

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
219KB

MD5
b4dd8c188219c8895e36cad8bafa4ae6

SHA1
a3ce35f8df703426cba49e332e0bfb4952adcef0

SHA256
61f6eb8b6cd6fc413a121dbca53d7925eda05cc16311e30df1ce8ef44f0d2e3e

SHA512
8cccb78f09ee4d5535b5baa29a4f72c867bc302ea3f3b77735551c7f3734220cc51299a17b304555a9d2916401955bfdfe203a3552a63e7df5e75232ab8cc31a

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
201KB

MD5
1cdb2ccc6197f95c7551e5201935a5cd

SHA1
bbfaad6b7d9f2eb24cb356c1c2b08b1aaafde4b2

SHA256
4bde3cb25f2c8ecd3850012c705af2f769df56149bbe8689349621a746871e2d

SHA512
dad2e3a6995badceef1f5aa2b8df384fda851b046acf718d044873a47a1b4d2945aca0182fe25a48ce4a191e9356764a24c544b5d96e6c788d80c293ec0c2f49

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
1.1MB

MD5
1dee45d107029f270afddfbb9d791d50

SHA1
aa647fb7e5aebf1412b6890bd565ffa96749d5c1

SHA256
50fcb8cef6d552536e1f4bc963b330e9b2aee6dff863f9246d6ca0bdcf821630

SHA512
30848be2101b007282ea1f4efb6709e66bd5e0e8f2b3b7f3de50976932b4ec7ffd03646be8de85f3ccf44d46a3081d4adfc6c3c2a1d45e1c1ee894ca98c8b510

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
Filesize
261KB

MD5
8b43349b274c4a5c6e436cc453b0f17a

SHA1
aee3906c1dc9d0de5f4d58bcbf39520ca98a49b8

SHA256
7b71767d513e6d1dc564cc61717ea11947c8ca6657601d5200004da0056e2bb0

SHA512
10417dca8a498d1b7a60fa17be509353ff0eb5a501352a6debbfa4d9cdb246544169f4f1da17b9e0da5e7d469916f26dd29e456d2b75c569e23910170a1eed77

Download Submit
memory/2760-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-19-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-21-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-9-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2760-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2760-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2876-20-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-2-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/2876-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2876-0-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads