Overview

overview

10

Static

static

3

d1a6927a0a...ab.exe

windows7-x64

10

d1a6927a0a...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17-03-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1a6927a0ad7b9a1eb072535aa3879ab.exe

  • Size

    708KB

  • MD5

    d1a6927a0ad7b9a1eb072535aa3879ab

  • SHA1

    989cc5e58c7f0de80d5dfcb0468b812192c4c3ef

  • SHA256

    7ddbcb26b9c3afc287c094d534ee051f311c258db1c5d2082b384de4b2207c1a

  • SHA512

    8474cae8e14037913c740a52628242bf434e315139d6d23626859c96beb06b497f024cb8ba3ad689d94cc2f8a23408cf09e3c2718ab29fd0053d379ca6bb99c4

  • SSDEEP

    12288:tk6zJDIYsrXd0+tMt+sH2ept70Q93Fohby5KNK5u3z9HRI0WRooTalj8:tk6zJDIYs7dKH2ecQxgbpsyHRI049TaS

Score
10/10
darkcometlatentbotguest16evasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

lolscape12345.zapto.org:4444

coderscape.net84.net:4444

127.0.0.1:4444

192.168.0.3:4444

77.96.90.48:4444
Mutex

DC_MUTEX-KLX6V48

Attributes
  • gencode

    YCMTuRTxJEkt

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

lolscape12345.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1a6927a0ad7b9a1eb072535aa3879ab.exe
    "C:\Users\Admin\AppData\Local\Temp\d1a6927a0ad7b9a1eb072535aa3879ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:2532
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2968

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2044-0-0x00000000747D0000-0x0000000074D7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2044-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2044-2-0x0000000002190000-0x00000000021D0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2044-24-0x00000000747D0000-0x0000000074D7B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2880-11-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-26-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-9-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-5-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-13-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-15-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-17-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-21-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2880-22-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-3-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-23-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-25-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-7-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-27-0x00000000002F0000-0x00000000002F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2880-28-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-70-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-57-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-58-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-67-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-59-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-61-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-63-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2880-65-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2968-56-0x00000000002A0000-0x00000000002A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2968-29-0x00000000000C0000-0x00000000000C1000-memory.dmp
      Filesize

      4KB

      Download