Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
14-05-2024 23:12
General
-
Target
External Triggerbot/Triggerbot.exe
-
Size
760KB
-
MD5
0549a29673db554ec1e4a4ccf5c87232
-
SHA1
67a12b51ee143a8a56a23bb7bc48f08d01d1914a
-
SHA256
7cd690d2cc1c22336fbc66aa3e979ff9ce425a17e25cdf9d8cdb427690420d50
-
SHA512
ace730d24f273fbfec9ef0d11f5641e82faeb6553e2402f2c2e1ac87271ff20e0b89b28549787dd581a623d7dfc25d871d13a2b035d585ab51533551523305d5
-
SSDEEP
12288:njI/pw81iSoLo4g8H+5CjU7J89QvHHkJPmCs954oLprAVdI:njI/pw81iL9LeJ89Yk9uZLp5
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Boniito
C2
boniitonoip24.no-ip.org:1604
Mutex
DC_MUTEX-FXA1TN4
Attributes
-
gencode
01MVlzDQeDeB
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\External Triggerbot\Triggerbot.exe"C:\Users\Admin\AppData\Local\Temp\External Triggerbot\Triggerbot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-23-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-29-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-28-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-27-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-7-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-11-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-26-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-17-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-25-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-24-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-22-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-18-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-19-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-20-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/60-21-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/260-14-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/2456-3-0x0000000074F12000-0x0000000074F13000-memory.dmpFilesize
4KB
-
memory/2456-1-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2456-2-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2456-10-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2456-5-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2456-4-0x0000000074F10000-0x00000000754C1000-memory.dmpFilesize
5.7MB
-
memory/2456-0-0x0000000074F12000-0x0000000074F13000-memory.dmpFilesize
4KB