Overview

overview

10

Static

static

10

RAT2.exe

windows7-x64

10

RAT2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2024 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT2.exe

  • Size

    758KB

  • MD5

    21d196003c2ebe1318a386a3f1b96bbc

  • SHA1

    83ce95a86173ec0f6a708ee4cfd40260c5a624e7

  • SHA256

    b7de3304bb713d3da34c1d057e8dd48c7b5677e94d0f93ddee96089ff6445c25

  • SHA512

    f0947c77b3ce5b20d7df88ec8793f51bd7f9bc2a17f1c954e21c4bfe294213a38cae9657b4f892fd180cb7f43720d5c5cfaa1ff8923e10b456f23d66529202fa

  • SSDEEP

    12288:b9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hTvvNVRuH:VZ1xuVVjfFoynPaVBUR8f+kN10EBdvzG

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

nayef.ddns.net:1604

Mutex

DC_MUTEX-S42YJ4Y

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    7CVEBPhuYSgK

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT2.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2660

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    4
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      758KB

      MD5

      21d196003c2ebe1318a386a3f1b96bbc

      SHA1

      83ce95a86173ec0f6a708ee4cfd40260c5a624e7

      SHA256

      b7de3304bb713d3da34c1d057e8dd48c7b5677e94d0f93ddee96089ff6445c25

      SHA512

      f0947c77b3ce5b20d7df88ec8793f51bd7f9bc2a17f1c954e21c4bfe294213a38cae9657b4f892fd180cb7f43720d5c5cfaa1ff8923e10b456f23d66529202fa

      Download Submit
    • memory/2152-0-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2152-50-0x0000000000400000-0x00000000004CB000-memory.dmp
      Filesize

      812KB

      Download
    • memory/2660-13-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2660-49-0x00000000008E0000-0x00000000008E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-11-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-51-0x0000000000400000-0x00000000004CB000-memory.dmp
      Filesize

      812KB

      Download
    • memory/2700-52-0x0000000000400000-0x00000000004CB000-memory.dmp
      Filesize

      812KB

      Download
    • memory/2700-53-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-54-0x0000000000400000-0x00000000004CB000-memory.dmp
      Filesize

      812KB

      Download