darkcomet | 6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672

General

Target

075448d611663baa510daefcb583469a.exe
Size

548KB
MD5

075448d611663baa510daefcb583469a
SHA1

c523655c92dbcc28b1a1fb2dd1f95e4333597f49
SHA256

6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672
SHA512

4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec
SSDEEP

12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO

Score

10^/10

darkcomet slave persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

darkcometramon.zapto.org:1604

Mutex

DC_MUTEX-WACNQ32

Attributes

InstallPath
MSDCSC\Update.exe
gencode
1Zo5tGcdvz3w
install
true
offline_keylogger
true
persistence
false
reg_key
WindowsUpdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

3100 vbc.exe

pid	process
3100	vbc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3100-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-17-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-7-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3100-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

075448d611663baa510daefcb583469a.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdater\\075448d611663baa510daefcb583469a.exe"	075448d611663baa510daefcb583469a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Update.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

075448d611663baa510daefcb583469a.exe

description pid process target process

PID 1028 set thread context of 3100 1028 075448d611663baa510daefcb583469a.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1028 set thread context of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3100	vbc.exe
Token: SeSecurityPrivilege	3100	vbc.exe
Token: SeTakeOwnershipPrivilege	3100	vbc.exe
Token: SeLoadDriverPrivilege	3100	vbc.exe
Token: SeSystemProfilePrivilege	3100	vbc.exe
Token: SeSystemtimePrivilege	3100	vbc.exe
Token: SeProfSingleProcessPrivilege	3100	vbc.exe
Token: SeIncBasePriorityPrivilege	3100	vbc.exe
Token: SeCreatePagefilePrivilege	3100	vbc.exe
Token: SeBackupPrivilege	3100	vbc.exe
Token: SeRestorePrivilege	3100	vbc.exe
Token: SeShutdownPrivilege	3100	vbc.exe
Token: SeDebugPrivilege	3100	vbc.exe
Token: SeSystemEnvironmentPrivilege	3100	vbc.exe
Token: SeChangeNotifyPrivilege	3100	vbc.exe
Token: SeRemoteShutdownPrivilege	3100	vbc.exe
Token: SeUndockPrivilege	3100	vbc.exe
Token: SeManageVolumePrivilege	3100	vbc.exe
Token: SeImpersonatePrivilege	3100	vbc.exe
Token: SeCreateGlobalPrivilege	3100	vbc.exe
Token: 33	3100	vbc.exe
Token: 34	3100	vbc.exe
Token: 35	3100	vbc.exe
Token: 36	3100	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

075448d611663baa510daefcb583469a.exe

description	pid	process	target process
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe
PID 1028 wrote to memory of 3100	1028	075448d611663baa510daefcb583469a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe
"C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-2-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1028-1-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/1028-13-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/1028-0-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3100-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-18-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3100-17-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-7-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3100-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads