darkcomet | ccba7d679ceef6c80500e953871430da4f88d4c08a756ebbeae5fb8d2e3e09a0

General

Target

Black Beauty Rainmeter Skin/black_beauty_by_mic831-d4thkf?niksmr..exe
Size

1.3MB
MD5

ab28e71a44f8c8214696385bd7c907a3
SHA1

e770fedad3afc03958b0a9e2ae1ed7ddbafab29c
SHA256

d94e345b0a18789dd346679473f4a2721f97fb3d7cf289b39fe4e540f258fed6
SHA512

7729f48cb1659a6512dfa8e8f37771c7d406307ef73e5507f80e4e1e7dbebef9030eeb33d3ba4cedca0a7a2ece17f014b56e7af957eea93eba55bbf5c04344a3
SSDEEP

24576:MlmawWOifU8NaofT5j1W6azCEO9QJC2f3iuFg/Kn7W:QddMSpfT5j1ozIQJ1SEg/KC

Score

10^/10

darkcomet slave persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

haaadukit.no-ip.biz:3365

Mutex

DCMIN_MUTEX-6ABRBTZ

Attributes

gencode
S6MwSKuUU9ju
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2660-30-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-29-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-31-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-26-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-24-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-32-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-35-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-36-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-34-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-38-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-37-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-40-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral1/memory/2660-59-0x0000000000400000-0x00000000004BB000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

black_beauty_by_mic831-d4thkf_niksmr..exe

description	pid	process	target process
PID 2180 set thread context of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 set thread context of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.rmskin	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.rmskin\ = "rmskin_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\rmskin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

3052 AcroRd32.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

pid	process
3052	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2660	vbc.exe
Token: SeSecurityPrivilege	2660	vbc.exe
Token: SeTakeOwnershipPrivilege	2660	vbc.exe
Token: SeLoadDriverPrivilege	2660	vbc.exe
Token: SeSystemProfilePrivilege	2660	vbc.exe
Token: SeSystemtimePrivilege	2660	vbc.exe
Token: SeProfSingleProcessPrivilege	2660	vbc.exe
Token: SeIncBasePriorityPrivilege	2660	vbc.exe
Token: SeCreatePagefilePrivilege	2660	vbc.exe
Token: SeBackupPrivilege	2660	vbc.exe
Token: SeRestorePrivilege	2660	vbc.exe
Token: SeShutdownPrivilege	2660	vbc.exe
Token: SeDebugPrivilege	2660	vbc.exe
Token: SeSystemEnvironmentPrivilege	2660	vbc.exe
Token: SeChangeNotifyPrivilege	2660	vbc.exe
Token: SeRemoteShutdownPrivilege	2660	vbc.exe
Token: SeUndockPrivilege	2660	vbc.exe
Token: SeManageVolumePrivilege	2660	vbc.exe
Token: SeImpersonatePrivilege	2660	vbc.exe
Token: SeCreateGlobalPrivilege	2660	vbc.exe
Token: 33	2660	vbc.exe
Token: 34	2660	vbc.exe
Token: 35	2660	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vbc.exevbc.exeAcroRd32.exe

pid process

2724 vbc.exe
2660 vbc.exe
3052 AcroRd32.exe
3052 AcroRd32.exe

pid	process
2724	vbc.exe
2660	vbc.exe
3052	AcroRd32.exe
3052	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

black_beauty_by_mic831-d4thkf_niksmr..exerundll32.exe

description	pid	process	target process
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2724	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2740	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 2180 wrote to memory of 2740	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2692	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	rundll32.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2180 wrote to memory of 2660	2180	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 2692 wrote to memory of 3052	2692	rundll32.exe	AcroRd32.exe
PID 2692 wrote to memory of 3052	2692	rundll32.exe	AcroRd32.exe
PID 2692 wrote to memory of 3052	2692	rundll32.exe	AcroRd32.exe
PID 2692 wrote to memory of 3052	2692	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe
"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:2740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\black_beauty_by_mic831-d4thkf0.rmskin
Filesize
432KB

MD5
a1f4029acd9802c948cc770c24d488b6

SHA1
8907f81f4d5226c860ec47e0067e1606f35d484a

SHA256
b60d4947c4dafc66f0c6ab83b7ea9594dc03508151b07508527612c5f0b5c3c1

SHA512
2e449338913968cfebc85a2b92f812e18f894bb7c042f03a7f463a20bcf2f857017a82b689c0615adaa912c1b798e3f3e014728a7638320901999e49b170aac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fp.txt
Filesize
103B

MD5
d1d57811ea8479eb76ba617b25c1bf91

SHA1
979ac8b7365725a96ebcee80a2a2ae2622c7afa9

SHA256
d84715b33fdd79464ea60a82cffcc86eccbbd55ed42b948894d13df0e14316cd

SHA512
a08401d6443a144c1016676706961b5a62f5ca5a6f82f257ec8bee49a007f28de9532a311309b46b7d8355b000e92018d7d84c36018481aa6471522912803db0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
2eb76e8477f28331a3fb1010167385cb

SHA1
cfa0f15e04850a9cf91aebc999cc60e8dc2e7d46

SHA256
839d39a39e1841bfa0edd76d192d48f0c788d109a5b881f4de921ebcab7d7a12

SHA512
3f7fe881fc4b4c1230bd8758289a96409bf4bb8343ae4a1709c2422706e195957bbda21c7d94bc45c927afe92299e0cbde14ae248f3a5c289dde9416bb46b111

Download Submit
memory/2180-1-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2180-0-0x0000000074B61000-0x0000000074B62000-memory.dmp

Filesize
4KB

Download
memory/2180-33-0x0000000074B60000-0x000000007510B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-34-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-37-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-59-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-40-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-22-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-30-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-31-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-26-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-24-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-32-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-38-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-35-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2660-36-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2724-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-13-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-7-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2724-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads