darkcomet | 41a682da16b22581581ef2353fe9e900be9162609dc89c956addd256b4f9d546

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11fb758dd3cdc09650445e5527b88e66.exe
Size

1.1MB
MD5

11fb758dd3cdc09650445e5527b88e66
SHA1

35a122d148139c21185496adf1abb0c63ceba357
SHA256

41a682da16b22581581ef2353fe9e900be9162609dc89c956addd256b4f9d546
SHA512

cd7f9e76dd23e5f76a6bb45e9d0d6da182a62018697817f892e06a0f0b7d61e5c150947273bdf07f8e71e3e4e3c12343bc3ae5ce48e3be3dd0c531f5aa9fcf4d
SSDEEP

24576:RVmqz0QRWoJEfg0oChGdJQbjPbNW5tYeP+GF/9YvWmztzWFq:RBAQRV2o3MPY5Aw9YvjzAq

Score

10^/10

darkcomet trojan_persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Trojan_

rubino.zapto.org:1604

Mutex

DC_MUTEX-9E0FYS9

Attributes

InstallPath
Java.exe
gencode
KHoKmB1jKaxU
install
true
offline_keylogger
true
persistence
true
reg_key
Java

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java.exe"	TROJAN.EXE

Executes dropped EXE 2 IoCs

pid	Process
2896	IDOSER V4.EXE
3036	TROJAN.EXE

Loads dropped DLL 3 IoCs

pid	Process
3012	11fb758dd3cdc09650445e5527b88e66.exe
3012	11fb758dd3cdc09650445e5527b88e66.exe
3012	11fb758dd3cdc09650445e5527b88e66.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe"	TROJAN.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3036	TROJAN.EXE
Token: SeSecurityPrivilege	3036	TROJAN.EXE
Token: SeTakeOwnershipPrivilege	3036	TROJAN.EXE
Token: SeLoadDriverPrivilege	3036	TROJAN.EXE
Token: SeSystemProfilePrivilege	3036	TROJAN.EXE
Token: SeSystemtimePrivilege	3036	TROJAN.EXE
Token: SeProfSingleProcessPrivilege	3036	TROJAN.EXE
Token: SeIncBasePriorityPrivilege	3036	TROJAN.EXE
Token: SeCreatePagefilePrivilege	3036	TROJAN.EXE
Token: SeBackupPrivilege	3036	TROJAN.EXE
Token: SeRestorePrivilege	3036	TROJAN.EXE
Token: SeShutdownPrivilege	3036	TROJAN.EXE
Token: SeDebugPrivilege	3036	TROJAN.EXE
Token: SeSystemEnvironmentPrivilege	3036	TROJAN.EXE
Token: SeChangeNotifyPrivilege	3036	TROJAN.EXE
Token: SeRemoteShutdownPrivilege	3036	TROJAN.EXE
Token: SeUndockPrivilege	3036	TROJAN.EXE
Token: SeManageVolumePrivilege	3036	TROJAN.EXE
Token: SeImpersonatePrivilege	3036	TROJAN.EXE
Token: SeCreateGlobalPrivilege	3036	TROJAN.EXE
Token: 33	3036	TROJAN.EXE
Token: 34	3036	TROJAN.EXE
Token: 35	3036	TROJAN.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2896	3012	11fb758dd3cdc09650445e5527b88e66.exe	18
PID 3012 wrote to memory of 2896	3012	11fb758dd3cdc09650445e5527b88e66.exe	18
PID 3012 wrote to memory of 2896	3012	11fb758dd3cdc09650445e5527b88e66.exe	18
PID 3012 wrote to memory of 2896	3012	11fb758dd3cdc09650445e5527b88e66.exe	18
PID 3012 wrote to memory of 3036	3012	11fb758dd3cdc09650445e5527b88e66.exe	17
PID 3012 wrote to memory of 3036	3012	11fb758dd3cdc09650445e5527b88e66.exe	17
PID 3012 wrote to memory of 3036	3012	11fb758dd3cdc09650445e5527b88e66.exe	17
PID 3012 wrote to memory of 3036	3012	11fb758dd3cdc09650445e5527b88e66.exe	17

C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe
"C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE
  "C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- - C:\Users\Admin\AppData\Roaming\Java.exe
    "C:\Users\Admin\AppData\Roaming\Java.exe"
    3⤵
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE
  "C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE"
  2⤵
  - Executes dropped EXE
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE

Filesize
157KB

MD5
cf7dc664d5f00183b920f9001b3cf6a4

SHA1
248facb4586b68768954c2b6e6947c651b17ea54

SHA256
3cc66a22f26f6517f52f6efe17f510510e89312a4ff893c71e689abfda26eb4a

SHA512
b47387fa31ddde23154ecb0ad25589cd468b5701320aa3b8f473315eea310c1d4fa351a9dbb7cb658f3707cf092cbb1a95137f6ee902943ddfb32856e9741027

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE

Filesize
27KB

MD5
56774e8f2e3eec66a20cb791a8310c18

SHA1
6859960e2826994fa0b952f4dc4c16ba0ff3be0a

SHA256
cfaf144c5befb03eec7279c1562ff2d726d7929c74348fa73064c8fcdba0b612

SHA512
4e64aa9efcaf89e864f71593808c7fc4a4d4a4ff6c1f6dc6181ae02be4fccef4d51d440bf0b2e3ade9b4ea4f5ef61136e0a4bd9f7a48932a297f62165d3d0c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE

Filesize
205KB

MD5
f8f9dfa355fa558df6956ed45de8f659

SHA1
6f38b5c68baeea6d72976f9b0d5f772286c5dff3

SHA256
bd345113d68b82de118cdc99fb9c0b2c363471e667be8079d32877e83ada5bcf

SHA512
25470690acf7ac9646ffca66fbd1bfd42b55a8bf40ede06784a11fd8fe76b283455eeb612df3872fe7ba17c4dec4fb8485520174389a71d899a59985dbc546f6

Download Submit
C:\Users\Admin\AppData\Roaming\Java.exe

Filesize
63KB

MD5
ca072f46507458ec6da9b0e6d095d872

SHA1
5896e5683357bf8416e9f1bc0e2faf3ee4f28991

SHA256
1fd60a717c5728e954228eba0471d893e5d8c0e14c58dbd02de7027e5b6c7c14

SHA512
8627be31184471ea8f60347c677f5a8e19a9dac8090cb540d7649c044c05c10ae160b533d23040ed68c0817a0d643d89ca16cd15a2f46929327e84b15286427a

Download Submit
C:\Users\Admin\AppData\Roaming\Java.exe

Filesize
119KB

MD5
7199bb9b09a319bd26466b9cc519ca7f

SHA1
b5ad85972282e9053eb277bd30f985fc9e3359a9

SHA256
d2893ba7a8b3b71a883f269a7bfb62453e7df2f847b75f209718b4b9102cabae

SHA512
c2950d571571019792eaf7fb9b6556a3a29ac26c085c4a5fd63640c245e95147b74c262947b98e07cc5880d3c477319a9a34b873d84175c196a5ab9f65c287a8

Download Submit
\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE

Filesize
154KB

MD5
2341fbbf6fb7510d4ca0c934ad9c459c

SHA1
5f9bb18873042ce6ee6c4a7dea4c5a90f3375dfc

SHA256
81d98f3fe750150a6a2d3cd077337b4c2852aaeebf3fb21874d483a4efcd1dfe

SHA512
8828be09163afd4e51e72b171c2de0a4742dac8d1a55ac1ebfa50aaf860df044d6b3e940a25d6f1a020d3ed7fd5213db3c2e9f1125790b53d3e262e924472f7b

Download Submit
\Users\Admin\AppData\Local\Temp\TROJAN.EXE

Filesize
169KB

MD5
edbeffab7af03bbf49abe629454a1dad

SHA1
51eae7bf3ec871c341fa175bf2dbe05541dfc48d

SHA256
f950e43e6884902ca0f362513f222f57fbd8f78bad97d4d1431d9fafd535f15b

SHA512
6f828b3ed10ca3d1f363d516836e545b350ea238a20de960c4a2fcfbb2ab4c02b97f9a58760cecf895f8db2acada6c97842541899c5e92ef008ff52ec0104c20

Download Submit
\Users\Admin\AppData\Local\Temp\TROJAN.EXE

Filesize
180KB

MD5
f0ed0ab65c8bb4fb264b02ca02f5d63c

SHA1
f40d057e514d861c44290dbb895b4a54a4ed2289

SHA256
8f45febd73ca2e9cda5c7685f9280dde5be74bf25a097bcddcd2181cefbec437

SHA512
f66e800df2772cf8c8bb974001e8374a89d2fbd492656a490982d83f6857878d6762b099beb592e4850bbf1bce08646671d639d095a74c2abed99fd1d2dc56de

Download Submit
\Users\Admin\AppData\Roaming\Java.exe

Filesize
14KB

MD5
5689c2be3e4151bacb9901f5a51bf3e7

SHA1
060048a6323df09967e01b72c8221be5d6ecb15c

SHA256
d70d9d9b65613fe44cfbdeb9d7aca1d2a3b4d65fe99302a427c39a5cd322bed5

SHA512
6290e955289578ece4f742ad72c80280f692bc9e81b21570938ab1cd9c5684cded4324446afcc9bef3cf1c121851428f57233d912f37e90941d790578bd5253c

Download Submit
memory/2844-41-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-43-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-49-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-48-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-34-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2844-47-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-46-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-45-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-44-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-42-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-37-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-38-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-39-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2844-40-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2896-17-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2896-36-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/2896-21-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/2896-35-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2896-18-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/2896-19-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/3036-32-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3036-20-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3036-22-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads