darkcomet | 92ea6ba3b76c78c6a69cce7928933c35de64647128aa6a4068edb2a54368e31a

General

Target

Fritz 19.4 Multilingual\Crack\ChessProgram19.exe
Size

10.1MB
MD5

aae62ebe0521ea14a732e6902e9552ca
SHA1

12bc209fd466b4df1d37fdcff6c7357b5e2059c0
SHA256

92ea6ba3b76c78c6a69cce7928933c35de64647128aa6a4068edb2a54368e31a
SHA512

8a4e9814d150cedf3d7ff64c4a7f3a67dff13e4ec608fa3ef7169edd92bc8b06643217a02a8e4faca249d660e01f0d694223b4a029b9231bcc6d5a80baa7aa34
SSDEEP

196608:GrYYQAbd3vZoubIJkPoYuIVcgjAhJkEpO67hLp04rI7+XGkjiNuO/:2JQA9+ubokPoXIXEhtpFl04rGk

Score

10^/10

darkcomet rar discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

RaR

C2

bonda7678.ddns.net:7678

Mutex

DCMIN_MUTEX-1CEG3YX

Attributes

gencode
2ce0rUX8Kbq9
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
3756	DR.exe
4004	CHESSP~1.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3260-19-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3260-21-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3260-22-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3260-24-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3260-25-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/3260-26-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ChessProgram19.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3756 set thread context of 3260	3756	DR.exe	92

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChessProgram19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3756	DR.exe
3756	DR.exe
3756	DR.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	DR.exe
Token: SeIncreaseQuotaPrivilege	3260	CasPol.exe
Token: SeSecurityPrivilege	3260	CasPol.exe
Token: SeTakeOwnershipPrivilege	3260	CasPol.exe
Token: SeLoadDriverPrivilege	3260	CasPol.exe
Token: SeSystemProfilePrivilege	3260	CasPol.exe
Token: SeSystemtimePrivilege	3260	CasPol.exe
Token: SeProfSingleProcessPrivilege	3260	CasPol.exe
Token: SeIncBasePriorityPrivilege	3260	CasPol.exe
Token: SeCreatePagefilePrivilege	3260	CasPol.exe
Token: SeBackupPrivilege	3260	CasPol.exe
Token: SeRestorePrivilege	3260	CasPol.exe
Token: SeShutdownPrivilege	3260	CasPol.exe
Token: SeDebugPrivilege	3260	CasPol.exe
Token: SeSystemEnvironmentPrivilege	3260	CasPol.exe
Token: SeChangeNotifyPrivilege	3260	CasPol.exe
Token: SeRemoteShutdownPrivilege	3260	CasPol.exe
Token: SeUndockPrivilege	3260	CasPol.exe
Token: SeManageVolumePrivilege	3260	CasPol.exe
Token: SeImpersonatePrivilege	3260	CasPol.exe
Token: SeCreateGlobalPrivilege	3260	CasPol.exe
Token: 33	3260	CasPol.exe
Token: 34	3260	CasPol.exe
Token: 35	3260	CasPol.exe
Token: 36	3260	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3260	CasPol.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3756	2816	ChessProgram19.exe	82
PID 2816 wrote to memory of 3756	2816	ChessProgram19.exe	82
PID 2816 wrote to memory of 3756	2816	ChessProgram19.exe	82
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92
PID 3756 wrote to memory of 3260	3756	DR.exe	92

C:\Users\Admin\AppData\Local\Temp\Fritz 19.4 Multilingual\Crack\ChessProgram19.exe
"C:\Users\Admin\AppData\Local\Temp\Fritz 19.4 Multilingual\Crack\ChessProgram19.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESSP~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESSP~1.EXE
  2⤵
  - Executes dropped EXE
  PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CHESSP~1.EXE

Filesize
25.6MB

MD5
090a3402251b08d87b0c487e575307db

SHA1
86dd99ceb1f07d6cf3561e13240e44ef38500ab3

SHA256
e5b45e5f470f880511637d47e0a92e923ffd0b0c2645d7c6bbaaa4d33430c6b8

SHA512
ad0adbe865514ee3199db42cd39ae701b0b0d970244acd8cf8c6454b42298e9d2d493ccba779452045df2c7fecda22305d53a56c997631ac78d2cdd822f2c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DR.exe

Filesize
1.1MB

MD5
34d2e39ccda0b24f2fa3a18ad7bfc3ea

SHA1
3328ea22219e19acfca2739da6cfad0f9e2b5593

SHA256
091f1c9215727a96e78f74f1abbff5b2e12973c9e44d49b6179769c104154304

SHA512
beea0171d13dbc714fa50be3f865a8c88ce8484866279c8c40f2d81c3a04a8b1951efd8faf817e9458c0737f3045aad2f5c8c516ec2ef8e4ad3a1d79ee7a48df

Download Submit
memory/3260-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3260-26-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3260-25-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3260-24-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3260-22-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3260-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3756-10-0x0000000073A50000-0x0000000074200000-memory.dmp

Filesize
7.7MB

Download
memory/3756-15-0x0000000073A5E000-0x0000000073A5F000-memory.dmp

Filesize
4KB

Download
memory/3756-16-0x0000000073A50000-0x0000000074200000-memory.dmp

Filesize
7.7MB

Download
memory/3756-17-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

Filesize
104KB

Download
memory/3756-18-0x0000000005760000-0x0000000005766000-memory.dmp

Filesize
24KB

Download
memory/3756-14-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/3756-13-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/3756-12-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/3756-23-0x0000000073A50000-0x0000000074200000-memory.dmp

Filesize
7.7MB

Download
memory/3756-11-0x0000000004FB0000-0x000000000504E000-memory.dmp

Filesize
632KB

Download
memory/3756-9-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/3756-8-0x0000000000D10000-0x0000000000E36000-memory.dmp

Filesize
1.1MB

Download
memory/3756-7-0x0000000073A5E000-0x0000000073A5F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads