darkcomet | ccba7d679ceef6c80500e953871430da4f88d4c08a756ebbeae5fb8d2e3e09a0

General

Target

Black Beauty Rainmeter Skin/black_beauty_by_mic831-d4thkf?niksmr..exe
Size

1.3MB
MD5

ab28e71a44f8c8214696385bd7c907a3
SHA1

e770fedad3afc03958b0a9e2ae1ed7ddbafab29c
SHA256

d94e345b0a18789dd346679473f4a2721f97fb3d7cf289b39fe4e540f258fed6
SHA512

7729f48cb1659a6512dfa8e8f37771c7d406307ef73e5507f80e4e1e7dbebef9030eeb33d3ba4cedca0a7a2ece17f014b56e7af957eea93eba55bbf5c04344a3
SSDEEP

24576:MlmawWOifU8NaofT5j1W6azCEO9QJC2f3iuFg/Kn7W:QddMSpfT5j1ozIQJ1SEg/KC

Score

10^/10

darkcomet slave persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

haaadukit.no-ip.biz:3365

Mutex

DCMIN_MUTEX-6ABRBTZ

Attributes

gencode
S6MwSKuUU9ju
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1124-16-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-17-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-20-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-22-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-21-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-24-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-23-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-25-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-27-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-29-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-31-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-33-0x0000000000400000-0x00000000004BB000-memory.dmp	upx
behavioral2/memory/1124-35-0x0000000000400000-0x00000000004BB000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmpnetk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmpnet32.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

black_beauty_by_mic831-d4thkf_niksmr..exe

description	pid	process	target process
PID 4068 set thread context of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 set thread context of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

OpenWith.exeblack_beauty_by_mic831-d4thkf_niksmr..exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	black_beauty_by_mic831-d4thkf_niksmr..exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1124	vbc.exe
Token: SeSecurityPrivilege	1124	vbc.exe
Token: SeTakeOwnershipPrivilege	1124	vbc.exe
Token: SeLoadDriverPrivilege	1124	vbc.exe
Token: SeSystemProfilePrivilege	1124	vbc.exe
Token: SeSystemtimePrivilege	1124	vbc.exe
Token: SeProfSingleProcessPrivilege	1124	vbc.exe
Token: SeIncBasePriorityPrivilege	1124	vbc.exe
Token: SeCreatePagefilePrivilege	1124	vbc.exe
Token: SeBackupPrivilege	1124	vbc.exe
Token: SeRestorePrivilege	1124	vbc.exe
Token: SeShutdownPrivilege	1124	vbc.exe
Token: SeDebugPrivilege	1124	vbc.exe
Token: SeSystemEnvironmentPrivilege	1124	vbc.exe
Token: SeChangeNotifyPrivilege	1124	vbc.exe
Token: SeRemoteShutdownPrivilege	1124	vbc.exe
Token: SeUndockPrivilege	1124	vbc.exe
Token: SeManageVolumePrivilege	1124	vbc.exe
Token: SeImpersonatePrivilege	1124	vbc.exe
Token: SeCreateGlobalPrivilege	1124	vbc.exe
Token: 33	1124	vbc.exe
Token: 34	1124	vbc.exe
Token: 35	1124	vbc.exe
Token: 36	1124	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vbc.exeOpenWith.exevbc.exe

pid process

4136 vbc.exe
1700 OpenWith.exe
1124 vbc.exe

pid	process
4136	vbc.exe
1700	OpenWith.exe
1124	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

black_beauty_by_mic831-d4thkf_niksmr..exe

description	pid	process	target process
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 4136	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 2592	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 4068 wrote to memory of 2592	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 4068 wrote to memory of 2592	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	cmd.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe
PID 4068 wrote to memory of 1124	4068	black_beauty_by_mic831-d4thkf_niksmr..exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe
"C:\Users\Admin\AppData\Local\Temp\Black Beauty Rainmeter Skin\black_beauty_by_mic831-d4thkf_niksmr..exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fp.txt
Filesize
103B

MD5
d1d57811ea8479eb76ba617b25c1bf91

SHA1
979ac8b7365725a96ebcee80a2a2ae2622c7afa9

SHA256
d84715b33fdd79464ea60a82cffcc86eccbbd55ed42b948894d13df0e14316cd

SHA512
a08401d6443a144c1016676706961b5a62f5ca5a6f82f257ec8bee49a007f28de9532a311309b46b7d8355b000e92018d7d84c36018481aa6471522912803db0

Download Submit
memory/1124-20-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-23-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-33-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-27-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-25-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-16-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-22-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-35-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-31-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-17-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-21-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1124-24-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4068-2-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4068-1-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4068-0-0x0000000075292000-0x0000000075293000-memory.dmp

Filesize
4KB

Download
memory/4068-19-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/4136-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4136-6-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4136-4-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads