darkcomet | eba350227560d9ced91f4d3d85758edeca142d387cb2156dc9e169aaa0a4e6c6

General

Target

92f143956b9a12540154e290c4e62564.exe
Size

761KB
MD5

92f143956b9a12540154e290c4e62564
SHA1

1fee278385d5b122aed257fafad8438382492dec
SHA256

eba350227560d9ced91f4d3d85758edeca142d387cb2156dc9e169aaa0a4e6c6
SHA512

9dc37a30a62757252577fa00dbfc195b99274f8b868a9833a2b46f3b7b1d50c1363d142807b405068d8bdab1cbbc8ec5dca1691f223dc04c3b64c08066d5f3f7
SSDEEP

12288:BMrNIqNDs+RG7Y/ovzi0dSR/qP5OrOEuDAE+GL2QehBLouk3DefG7h:CrNIqNDsK6tvRda/RONAE+M2QebnkQGl

Score

10^/10

darkcomet crypted persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypted

C2

anonymoushere.no-ip.org:1604

Mutex

DC_MUTEX-J8M2E7P

Attributes

gencode
GmA26Nic56qT
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

d3dref9.exeifsutilx.exe

pid process

2728 d3dref9.exe
2904 ifsutilx.exe
Loads dropped DLL 3 IoCs

Processes:

92f143956b9a12540154e290c4e62564.exed3dref9.exe

pid process

2420 92f143956b9a12540154e290c4e62564.exe
2420 92f143956b9a12540154e290c4e62564.exe
2728 d3dref9.exe

pid	process
2728	d3dref9.exe
2904	ifsutilx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d3dref9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\d3dref9.exe"	d3dref9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

92f143956b9a12540154e290c4e62564.exeifsutilx.exe

description	pid	process	target process
PID 2420 set thread context of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2904 set thread context of 2656	2904	ifsutilx.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

92f143956b9a12540154e290c4e62564.exed3dref9.exeifsutilx.exe

pid	process
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2420	92f143956b9a12540154e290c4e62564.exe
2420	92f143956b9a12540154e290c4e62564.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2904	ifsutilx.exe
2420	92f143956b9a12540154e290c4e62564.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe
2420	92f143956b9a12540154e290c4e62564.exe
2904	ifsutilx.exe
2728	d3dref9.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

92f143956b9a12540154e290c4e62564.exed3dref9.exeAppLaunch.exeifsutilx.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2420	92f143956b9a12540154e290c4e62564.exe
Token: SeDebugPrivilege	2728	d3dref9.exe
Token: SeIncreaseQuotaPrivilege	2408	AppLaunch.exe
Token: SeSecurityPrivilege	2408	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2408	AppLaunch.exe
Token: SeLoadDriverPrivilege	2408	AppLaunch.exe
Token: SeSystemProfilePrivilege	2408	AppLaunch.exe
Token: SeSystemtimePrivilege	2408	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2408	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2408	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2408	AppLaunch.exe
Token: SeBackupPrivilege	2408	AppLaunch.exe
Token: SeRestorePrivilege	2408	AppLaunch.exe
Token: SeShutdownPrivilege	2408	AppLaunch.exe
Token: SeDebugPrivilege	2408	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2408	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2408	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2408	AppLaunch.exe
Token: SeUndockPrivilege	2408	AppLaunch.exe
Token: SeManageVolumePrivilege	2408	AppLaunch.exe
Token: SeImpersonatePrivilege	2408	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2408	AppLaunch.exe
Token: 33	2408	AppLaunch.exe
Token: 34	2408	AppLaunch.exe
Token: 35	2408	AppLaunch.exe
Token: SeDebugPrivilege	2904	ifsutilx.exe
Token: SeIncreaseQuotaPrivilege	2656	AppLaunch.exe
Token: SeSecurityPrivilege	2656	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2656	AppLaunch.exe
Token: SeLoadDriverPrivilege	2656	AppLaunch.exe
Token: SeSystemProfilePrivilege	2656	AppLaunch.exe
Token: SeSystemtimePrivilege	2656	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2656	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2656	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2656	AppLaunch.exe
Token: SeBackupPrivilege	2656	AppLaunch.exe
Token: SeRestorePrivilege	2656	AppLaunch.exe
Token: SeShutdownPrivilege	2656	AppLaunch.exe
Token: SeDebugPrivilege	2656	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2656	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2656	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2656	AppLaunch.exe
Token: SeUndockPrivilege	2656	AppLaunch.exe
Token: SeManageVolumePrivilege	2656	AppLaunch.exe
Token: SeImpersonatePrivilege	2656	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2656	AppLaunch.exe
Token: 33	2656	AppLaunch.exe
Token: 34	2656	AppLaunch.exe
Token: 35	2656	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

2656 AppLaunch.exe

pid	process
2656	AppLaunch.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

92f143956b9a12540154e290c4e62564.exed3dref9.exeifsutilx.exe

description	pid	process	target process
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2408	2420	92f143956b9a12540154e290c4e62564.exe	AppLaunch.exe
PID 2420 wrote to memory of 2728	2420	92f143956b9a12540154e290c4e62564.exe	d3dref9.exe
PID 2420 wrote to memory of 2728	2420	92f143956b9a12540154e290c4e62564.exe	d3dref9.exe
PID 2420 wrote to memory of 2728	2420	92f143956b9a12540154e290c4e62564.exe	d3dref9.exe
PID 2420 wrote to memory of 2728	2420	92f143956b9a12540154e290c4e62564.exe	d3dref9.exe
PID 2728 wrote to memory of 2904	2728	d3dref9.exe	ifsutilx.exe
PID 2728 wrote to memory of 2904	2728	d3dref9.exe	ifsutilx.exe
PID 2728 wrote to memory of 2904	2728	d3dref9.exe	ifsutilx.exe
PID 2728 wrote to memory of 2904	2728	d3dref9.exe	ifsutilx.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe
PID 2904 wrote to memory of 2656	2904	ifsutilx.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\92f143956b9a12540154e290c4e62564.exe
"C:\Users\Admin\AppData\Local\Temp\92f143956b9a12540154e290c4e62564.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
"C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
Filesize
329KB

MD5
1598c01518046d15dcc1976deb84ebe6

SHA1
e2b40efbfa0b153adf048bd4b57b6d4458de42d9

SHA256
b749f05e6a6fe8a74d1b3977baa51a20b3f79a2560008c3dbf3d0e2fe9f7d115

SHA512
e905014bc110d1b03a40681c6f03a344949308b9ab289d3aee1eea8552f745b8fe230a0df8a416dcb73a283eddf278b9b60469ab04d29ad9ade5d5afc8ca5eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
Filesize
206KB

MD5
da11725b63e51c32be48f18e00fc0a6f

SHA1
fa06c76db04e08a2aa20b85052b24570fafcf1e1

SHA256
09313bc643f19da2156c2bf8f131ee96484e808e47cade6440c1b16c943d637d

SHA512
4a8e226fc052048390fe9580d5b929f15c3ef0f1b9008a472a607599649f183710f58641fc913d19f0ff2660b8aa88b780bf6ecf1bd35b0fbec7cac267b5d38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
Filesize
7KB

MD5
bfab13f3f1c91d2590ef07c65839ffef

SHA1
85177eab769ca28a67a56e768d1279b457b4fa74

SHA256
f50751a3a7df1fff2022b398b937892e4c6f7f545107a93466d26db346a04310

SHA512
02cee67f4bc8c5a330a6c0a96d88372497730b2477b9575451a5710b340f2c61f2c4f7644cae3d885363e4ec9aa30c736dd292120d0e25528674fe10b8bdd3b3

Download Submit
\Users\Admin\AppData\Local\Temp\ifsutilx.exe
Filesize
416KB

MD5
0de844e9105ecd8b918a392686f3060e

SHA1
e4e47d589a03a90a4edfc67621b410a86d3bcb7e

SHA256
140762a94c49120743bd468de0ab4d0e3a3475b037e898aa9a7e99622d3b3a2f

SHA512
888d1434faae080934f47155576fb82bdf62dd1507f9fac1b1ba1754375ff0e3db1deacb682fb319ec089b482e355f71ae859ea16b1befe2812479a6b1ba0278

Download Submit
memory/2408-15-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-36-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-22-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-17-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-16-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-26-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-13-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-23-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-35-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-71-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2408-7-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2420-72-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-73-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-2-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2420-1-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-74-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2420-0-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-70-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2656-79-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2656-68-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2656-69-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2728-76-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2728-38-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2728-39-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-37-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2728-75-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2904-44-0x0000000001FF0000-0x0000000002030000-memory.dmp

Filesize
256KB

Download
memory/2904-43-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2904-77-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download
memory/2904-78-0x0000000001FF0000-0x0000000002030000-memory.dmp

Filesize
256KB

Download
memory/2904-45-0x0000000074D20000-0x00000000752CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads