darkcomet | 9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

General

Target

Lucky Proxy.exe
Size

10.7MB
MD5

f9f683c1fafc61bcccc9a44bef1f2867
SHA1

464183bbe171e5b07921d293f2692c517353f6e4
SHA256

9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d
SHA512

ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279
SSDEEP

98304:FQU/ui53ANXrPQU/8rJPPGlTrMdhSzVozBjVTcZOOSaHE6+KN51dE27Kfz7ns9z:FQPi5GQ7PuqShYBDRak6+AK2OfA

Score

10^/10

darkcomet eternity guest16 persistence rat stealer trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-AYYXQ8E

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SNTiKyNYVqQR
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detects Eternity stealer 11 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\STEALER.EXE	eternity_stealer
behavioral2/memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmp	eternity_stealer
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	eternity_stealer
behavioral2/memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmp	eternity_stealer
C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe	eternity_stealer
behavioral2/memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmp	eternity_stealer
C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE	eternity_stealer
behavioral2/memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmp	eternity_stealer
behavioral2/memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmp	eternity_stealer
behavioral2/memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmp	eternity_stealer
behavioral2/memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Lucky Proxy.exeKuloCrackedByHaci.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	Lucky Proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe"	KuloCrackedByHaci.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Lucky Proxy.exeSTEALER.EXEKuloCrackedByHaci.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Lucky Proxy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	STEALER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	KuloCrackedByHaci.exe

Executes dropped EXE 7 IoCs

Processes:

LUCKY CRACKED.EXESTEALER.EXEmsdcsc.exeKuloCrackedByHaci.exeETERNITYV5.EXEKULO PROXY.EXEmsdcsc.exe

pid process

1248 LUCKY CRACKED.EXE
1548 STEALER.EXE
4224 msdcsc.exe
2728 KuloCrackedByHaci.exe
4144 ETERNITYV5.EXE
4472 KULO PROXY.EXE
2144 msdcsc.exe

pid	process
1248	LUCKY CRACKED.EXE
1548	STEALER.EXE
4224	msdcsc.exe
2728	KuloCrackedByHaci.exe
4144	ETERNITYV5.EXE
4472	KULO PROXY.EXE
2144	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lucky Proxy.exeKuloCrackedByHaci.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	Lucky Proxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\17RYb5VUkfWF\\msdcsc.exe"	KuloCrackedByHaci.exe

Drops file in System32 directory 7 IoCs

Processes:

KuloCrackedByHaci.exeLucky Proxy.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe	KuloCrackedByHaci.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\	KuloCrackedByHaci.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	Lucky Proxy.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	Lucky Proxy.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	Lucky Proxy.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	KuloCrackedByHaci.exe
File created	C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe	KuloCrackedByHaci.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Lucky Proxy.exeKuloCrackedByHaci.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Lucky Proxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	KuloCrackedByHaci.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Lucky Proxy.exeSTEALER.EXEmsdcsc.exeKuloCrackedByHaci.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3272	Lucky Proxy.exe
Token: SeSecurityPrivilege	3272	Lucky Proxy.exe
Token: SeTakeOwnershipPrivilege	3272	Lucky Proxy.exe
Token: SeLoadDriverPrivilege	3272	Lucky Proxy.exe
Token: SeSystemProfilePrivilege	3272	Lucky Proxy.exe
Token: SeSystemtimePrivilege	3272	Lucky Proxy.exe
Token: SeProfSingleProcessPrivilege	3272	Lucky Proxy.exe
Token: SeIncBasePriorityPrivilege	3272	Lucky Proxy.exe
Token: SeCreatePagefilePrivilege	3272	Lucky Proxy.exe
Token: SeBackupPrivilege	3272	Lucky Proxy.exe
Token: SeRestorePrivilege	3272	Lucky Proxy.exe
Token: SeShutdownPrivilege	3272	Lucky Proxy.exe
Token: SeDebugPrivilege	3272	Lucky Proxy.exe
Token: SeSystemEnvironmentPrivilege	3272	Lucky Proxy.exe
Token: SeChangeNotifyPrivilege	3272	Lucky Proxy.exe
Token: SeRemoteShutdownPrivilege	3272	Lucky Proxy.exe
Token: SeUndockPrivilege	3272	Lucky Proxy.exe
Token: SeManageVolumePrivilege	3272	Lucky Proxy.exe
Token: SeImpersonatePrivilege	3272	Lucky Proxy.exe
Token: SeCreateGlobalPrivilege	3272	Lucky Proxy.exe
Token: 33	3272	Lucky Proxy.exe
Token: 34	3272	Lucky Proxy.exe
Token: 35	3272	Lucky Proxy.exe
Token: 36	3272	Lucky Proxy.exe
Token: SeDebugPrivilege	1548	STEALER.EXE
Token: SeIncreaseQuotaPrivilege	4224	msdcsc.exe
Token: SeSecurityPrivilege	4224	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4224	msdcsc.exe
Token: SeLoadDriverPrivilege	4224	msdcsc.exe
Token: SeSystemProfilePrivilege	4224	msdcsc.exe
Token: SeSystemtimePrivilege	4224	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4224	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4224	msdcsc.exe
Token: SeCreatePagefilePrivilege	4224	msdcsc.exe
Token: SeBackupPrivilege	4224	msdcsc.exe
Token: SeRestorePrivilege	4224	msdcsc.exe
Token: SeShutdownPrivilege	4224	msdcsc.exe
Token: SeDebugPrivilege	4224	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4224	msdcsc.exe
Token: SeChangeNotifyPrivilege	4224	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4224	msdcsc.exe
Token: SeUndockPrivilege	4224	msdcsc.exe
Token: SeManageVolumePrivilege	4224	msdcsc.exe
Token: SeImpersonatePrivilege	4224	msdcsc.exe
Token: SeCreateGlobalPrivilege	4224	msdcsc.exe
Token: 33	4224	msdcsc.exe
Token: 34	4224	msdcsc.exe
Token: 35	4224	msdcsc.exe
Token: 36	4224	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2728	KuloCrackedByHaci.exe
Token: SeSecurityPrivilege	2728	KuloCrackedByHaci.exe
Token: SeTakeOwnershipPrivilege	2728	KuloCrackedByHaci.exe
Token: SeLoadDriverPrivilege	2728	KuloCrackedByHaci.exe
Token: SeSystemProfilePrivilege	2728	KuloCrackedByHaci.exe
Token: SeSystemtimePrivilege	2728	KuloCrackedByHaci.exe
Token: SeProfSingleProcessPrivilege	2728	KuloCrackedByHaci.exe
Token: SeIncBasePriorityPrivilege	2728	KuloCrackedByHaci.exe
Token: SeCreatePagefilePrivilege	2728	KuloCrackedByHaci.exe
Token: SeBackupPrivilege	2728	KuloCrackedByHaci.exe
Token: SeRestorePrivilege	2728	KuloCrackedByHaci.exe
Token: SeShutdownPrivilege	2728	KuloCrackedByHaci.exe
Token: SeDebugPrivilege	2728	KuloCrackedByHaci.exe
Token: SeSystemEnvironmentPrivilege	2728	KuloCrackedByHaci.exe
Token: SeChangeNotifyPrivilege	2728	KuloCrackedByHaci.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

msdcsc.exemsdcsc.exe

pid process

4224 msdcsc.exe
2144 msdcsc.exe

pid	process
4224	msdcsc.exe
2144	msdcsc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Lucky Proxy.exeSTEALER.EXEKuloCrackedByHaci.exe

description	pid	process	target process
PID 3272 wrote to memory of 1248	3272	Lucky Proxy.exe	LUCKY CRACKED.EXE
PID 3272 wrote to memory of 1248	3272	Lucky Proxy.exe	LUCKY CRACKED.EXE
PID 3272 wrote to memory of 1548	3272	Lucky Proxy.exe	STEALER.EXE
PID 3272 wrote to memory of 1548	3272	Lucky Proxy.exe	STEALER.EXE
PID 3272 wrote to memory of 4224	3272	Lucky Proxy.exe	msdcsc.exe
PID 3272 wrote to memory of 4224	3272	Lucky Proxy.exe	msdcsc.exe
PID 3272 wrote to memory of 4224	3272	Lucky Proxy.exe	msdcsc.exe
PID 1548 wrote to memory of 2728	1548	STEALER.EXE	KuloCrackedByHaci.exe
PID 1548 wrote to memory of 2728	1548	STEALER.EXE	KuloCrackedByHaci.exe
PID 1548 wrote to memory of 2728	1548	STEALER.EXE	KuloCrackedByHaci.exe
PID 2728 wrote to memory of 4144	2728	KuloCrackedByHaci.exe	ETERNITYV5.EXE
PID 2728 wrote to memory of 4144	2728	KuloCrackedByHaci.exe	ETERNITYV5.EXE
PID 2728 wrote to memory of 4472	2728	KuloCrackedByHaci.exe	KULO PROXY.EXE
PID 2728 wrote to memory of 4472	2728	KuloCrackedByHaci.exe	KULO PROXY.EXE
PID 2728 wrote to memory of 2144	2728	KuloCrackedByHaci.exe	msdcsc.exe
PID 2728 wrote to memory of 2144	2728	KuloCrackedByHaci.exe	msdcsc.exe
PID 2728 wrote to memory of 2144	2728	KuloCrackedByHaci.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
"C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"
2⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
"C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
"C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"
4⤵
- Executes dropped EXE
PID:4144

C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
"C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"
4⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
"C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
Filesize
887KB

MD5
656811e5b545b83c89e9172d71a31c9d

SHA1
94dfbaf4b72bb4a627205536db953fdfb06637f4

SHA256
24e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1

SHA512
66f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
Filesize
2.3MB

MD5
5846ff38efa46576737ad1b8a9246766

SHA1
36586aec663d0fcc12d0924b554ea3ce65599da5

SHA256
f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b

SHA512
097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820

Download Submit
C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
Filesize
1.6MB

MD5
177146ba249a68fa55f0e0ba3889b1c6

SHA1
994d06dd75554da0024251412c318beff740b7c7

SHA256
af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893

SHA512
1764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
Filesize
8.5MB

MD5
b81af4dd13f5db948ffec8b8707c2280

SHA1
f7f74d80b24ff02499be0fb46f416be14b21c287

SHA256
03fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b

SHA512
0ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde

Download Submit
C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
Filesize
3.8MB

MD5
afaafeb9ed3224a20c008fe4e987e0fc

SHA1
59605cdaded8aa6b009daba59056cbdfce8171d0

SHA256
f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d

SHA512
747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
10.7MB

MD5
f9f683c1fafc61bcccc9a44bef1f2867

SHA1
464183bbe171e5b07921d293f2692c517353f6e4

SHA256
9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

SHA512
ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

Download Submit
memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmp

Filesize
4.0MB

Download
memory/1548-23-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

Filesize
10.8MB

Download
memory/1548-75-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-74-0x0000000001680000-0x0000000001681000-memory.dmp

Filesize
4KB

Download
memory/1548-78-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-77-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-189-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-72-0x00000000016F0000-0x0000000001740000-memory.dmp

Filesize
320KB

Download
memory/1548-190-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-73-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

Filesize
10.8MB

Download
memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmp

Filesize
8.5MB

Download
memory/1548-188-0x0000000001740000-0x0000000001750000-memory.dmp

Filesize
64KB

Download
memory/1548-185-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp

Filesize
10.8MB

Download
memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmp

Filesize
3.8MB

Download
memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmp

Filesize
3.8MB

Download
memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmp

Filesize
10.8MB

Download
memory/3272-0-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4144-123-0x000000001B8E0000-0x000000001B91E000-memory.dmp

Filesize
248KB

Download
memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmp

Filesize
920KB

Download
memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads