Overview

overview

10

Static

static

3

d1a6927a0a...ab.exe

windows7-x64

10

d1a6927a0a...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1a6927a0ad7b9a1eb072535aa3879ab.exe

  • Size

    708KB

  • MD5

    d1a6927a0ad7b9a1eb072535aa3879ab

  • SHA1

    989cc5e58c7f0de80d5dfcb0468b812192c4c3ef

  • SHA256

    7ddbcb26b9c3afc287c094d534ee051f311c258db1c5d2082b384de4b2207c1a

  • SHA512

    8474cae8e14037913c740a52628242bf434e315139d6d23626859c96beb06b497f024cb8ba3ad689d94cc2f8a23408cf09e3c2718ab29fd0053d379ca6bb99c4

  • SSDEEP

    12288:tk6zJDIYsrXd0+tMt+sH2ept70Q93Fohby5KNK5u3z9HRI0WRooTalj8:tk6zJDIYs7dKH2ecQxgbpsyHRI049TaS

Score
10/10
darkcometlatentbotguest16evasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

lolscape12345.zapto.org:4444

coderscape.net84.net:4444

127.0.0.1:4444

192.168.0.3:4444

77.96.90.48:4444
Mutex

DC_MUTEX-KLX6V48

Attributes
  • gencode

    YCMTuRTxJEkt

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

lolscape12345.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1a6927a0ad7b9a1eb072535aa3879ab.exe
    "C:\Users\Admin\AppData\Local\Temp\d1a6927a0ad7b9a1eb072535aa3879ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3096
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:4288
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:3764

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1720-9-0x0000000002420000-0x0000000002421000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1720-27-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-10-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-4-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-3-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-6-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-22-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-8-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-20-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-18-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-12-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-16-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-13-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/1720-14-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3720-1-0x0000000075470000-0x0000000075A21000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3720-2-0x0000000000DA0000-0x0000000000DB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3720-7-0x0000000075470000-0x0000000075A21000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3720-0-0x0000000075470000-0x0000000075A21000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3764-11-0x00000000007C0000-0x00000000007C1000-memory.dmp
      Filesize

      4KB

      Download