darkcomet | 760f8b66a88f6a43dec5d019f9322870996efd909d87d46bd8ef45853f6ddf70

General

Target

90124d46f8071ebe62917a2eb97d8482.exe
Size

840KB
MD5

90124d46f8071ebe62917a2eb97d8482
SHA1

6be34e6c7a1179975b8de704e32198a8bb2575df
SHA256

760f8b66a88f6a43dec5d019f9322870996efd909d87d46bd8ef45853f6ddf70
SHA512

bc7fc7bf0a65fd97b376977b5f28b5bbaded72bd7e377100cd0b165fc47557afc2ae4924cb645a092ec4d41fa8f6b4bc5554ff8432b6c843e863e1c395c71464
SSDEEP

24576:zw013hWTloKT4oJlMieW2nStgCLzdGyx:PWTDT4wnjtXN

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe
1936	90124d46f8071ebe62917a2eb97d8482.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	90124d46f8071ebe62917a2eb97d8482.exe
Token: SeIncreaseQuotaPrivilege	2820	vbc.exe
Token: SeSecurityPrivilege	2820	vbc.exe
Token: SeTakeOwnershipPrivilege	2820	vbc.exe
Token: SeLoadDriverPrivilege	2820	vbc.exe
Token: SeSystemProfilePrivilege	2820	vbc.exe
Token: SeSystemtimePrivilege	2820	vbc.exe
Token: SeProfSingleProcessPrivilege	2820	vbc.exe
Token: SeIncBasePriorityPrivilege	2820	vbc.exe
Token: SeCreatePagefilePrivilege	2820	vbc.exe
Token: SeBackupPrivilege	2820	vbc.exe
Token: SeRestorePrivilege	2820	vbc.exe
Token: SeShutdownPrivilege	2820	vbc.exe
Token: SeDebugPrivilege	2820	vbc.exe
Token: SeSystemEnvironmentPrivilege	2820	vbc.exe
Token: SeChangeNotifyPrivilege	2820	vbc.exe
Token: SeRemoteShutdownPrivilege	2820	vbc.exe
Token: SeUndockPrivilege	2820	vbc.exe
Token: SeManageVolumePrivilege	2820	vbc.exe
Token: SeImpersonatePrivilege	2820	vbc.exe
Token: SeCreateGlobalPrivilege	2820	vbc.exe
Token: 33	2820	vbc.exe
Token: 34	2820	vbc.exe
Token: 35	2820	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2804	1936	90124d46f8071ebe62917a2eb97d8482.exe	30
PID 1936 wrote to memory of 2804	1936	90124d46f8071ebe62917a2eb97d8482.exe	30
PID 1936 wrote to memory of 2804	1936	90124d46f8071ebe62917a2eb97d8482.exe	30
PID 1936 wrote to memory of 2804	1936	90124d46f8071ebe62917a2eb97d8482.exe	30
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29
PID 1936 wrote to memory of 2820	1936	90124d46f8071ebe62917a2eb97d8482.exe	29

C:\Users\Admin\AppData\Local\Temp\90124d46f8071ebe62917a2eb97d8482.exe
"C:\Users\Admin\AppData\Local\Temp\90124d46f8071ebe62917a2eb97d8482.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Checks BIOS information in registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-0-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-1-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/1936-2-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-31-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-22-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-11-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-25-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-29-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2820-26-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-24-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-23-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-21-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-32-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-34-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-36-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-38-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-40-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-42-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2820-44-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads