darkcomet | 4055f66b00029901a2c4d135c126185bbabf7393e06e24b4fbc183cfce4406ec

Analysis

max time kernel
51s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa712fa1f5fd57eeceaadfe61e4caa9.exe
Size

691KB
MD5

3fa712fa1f5fd57eeceaadfe61e4caa9
SHA1

2c34c4c3ee37493af7e130023c69dbc6829b0cff
SHA256

4055f66b00029901a2c4d135c126185bbabf7393e06e24b4fbc183cfce4406ec
SHA512

b8ef4a5f96ca3f99e2acb15f7e0d70b3d0e1a9f02875a6c15df760ef934a4589a04db7e409f359d594d579df4bf57cca75d5b66f61fbfb99704e42f98063eb9d
SSDEEP

12288:wxeC6+2dW+m5XwneFYCMFY7vEwYadHT/VGyE4Q661qlVoULVsBu:kQ8we/AYiadHMa61qlVsU

Score

10^/10

darkcomet slaves persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slaves

ratrololol.no-ip.biz:1604

Mutex

DC_MUTEX-4TN56C8

Attributes

gencode
eoH57CKDnAQ1
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 set thread context of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3020	vbc.exe
Token: SeSecurityPrivilege	3020	vbc.exe
Token: SeTakeOwnershipPrivilege	3020	vbc.exe
Token: SeLoadDriverPrivilege	3020	vbc.exe
Token: SeSystemProfilePrivilege	3020	vbc.exe
Token: SeSystemtimePrivilege	3020	vbc.exe
Token: SeProfSingleProcessPrivilege	3020	vbc.exe
Token: SeIncBasePriorityPrivilege	3020	vbc.exe
Token: SeCreatePagefilePrivilege	3020	vbc.exe
Token: SeBackupPrivilege	3020	vbc.exe
Token: SeRestorePrivilege	3020	vbc.exe
Token: SeShutdownPrivilege	3020	vbc.exe
Token: SeDebugPrivilege	3020	vbc.exe
Token: SeSystemEnvironmentPrivilege	3020	vbc.exe
Token: SeChangeNotifyPrivilege	3020	vbc.exe
Token: SeRemoteShutdownPrivilege	3020	vbc.exe
Token: SeUndockPrivilege	3020	vbc.exe
Token: SeManageVolumePrivilege	3020	vbc.exe
Token: SeImpersonatePrivilege	3020	vbc.exe
Token: SeCreateGlobalPrivilege	3020	vbc.exe
Token: 33	3020	vbc.exe
Token: 34	3020	vbc.exe
Token: 35	3020	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	vbc.exe
3020	vbc.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2884	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	24
PID 2652 wrote to memory of 2160	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	23
PID 2652 wrote to memory of 2160	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	23
PID 2652 wrote to memory of 2160	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	23
PID 2652 wrote to memory of 2160	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	23
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 2652 wrote to memory of 3020	2652	3fa712fa1f5fd57eeceaadfe61e4caa9.exe	21
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22
PID 3020 wrote to memory of 2676	3020	vbc.exe	22

C:\Users\Admin\AppData\Local\Temp\3fa712fa1f5fd57eeceaadfe61e4caa9.exe
"C:\Users\Admin\AppData\Local\Temp\3fa712fa1f5fd57eeceaadfe61e4caa9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - NTFS ADS
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fp.txt

Filesize
70B

MD5
c26ae3314265abcaeb8e4329912a9925

SHA1
94abaa02240eec2798ef7bbffc417f90e523595b

SHA256
370c4bd674dee18edde2cd8e28441353c58d73a71e848c02ee739eb3a709a5ef

SHA512
17116763b0a31419f958af521463eee07fbc0b6dd7eb55c14021f42cff5bf329029d0872fb7de92b1d3ea19ede5df03d66fbc729d96a406552c1ab744da90ce8

Download Submit
memory/2652-2-0x0000000000D60000-0x0000000000DA0000-memory.dmp

Filesize
256KB

Download
memory/2652-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-0-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-44-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2676-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2884-14-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-8-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-24-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2884-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3020-42-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-26-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-43-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-46-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-47-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3020-78-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3020-82-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads