darkcomet | a3a877d52fb6aa2a33a0d85893c73fdbe0621be7aeb4efeda42e05addfcc1a90

General

Target

Techno-Scape Client/run.exe
Size

430KB
MD5

e0d6a1a9287d1408cd21559123d7b240
SHA1

6bf371c744dcbafa061a3566e1e99c91ff134178
SHA256

0a62af46dcf7072571e40cd9d6091bb04b62e88e043496127b36871fb07b534a
SHA512

03bc5cd56f73fb1592544a719ca79cc8d867b3e0b0f4fc3e042ab3b4e4352417f37a4e9a8c3ba23df0c0d15d177fd9c2abf702c0310d04550f3f0bec9b24c3b8
SSDEEP

6144:WYmHLKxXSSe9bGVGy4AmQ9ayfHBAfmhX5mggooeP3jvWmzi3MizYqI/xhrv9:TUmgb5Amma6BAf+5mOjvW13XIh79

Score

10^/10

darkcomet guest16 discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

anonymous.no-ip.biz:1604

Mutex

DC_MUTEX-584KTPC

Attributes

gencode
bynBHQc30zXD
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2692	run.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	run.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2692	2264	run.exe	30

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/memory/2692-5-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-10-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-11-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-8-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-4-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-12-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-13-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-14-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-16-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-17-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-18-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-22-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-25-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-26-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral9/memory/2692-29-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2264	run.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2692	run.exe
Token: SeSecurityPrivilege	2692	run.exe
Token: SeTakeOwnershipPrivilege	2692	run.exe
Token: SeLoadDriverPrivilege	2692	run.exe
Token: SeSystemProfilePrivilege	2692	run.exe
Token: SeSystemtimePrivilege	2692	run.exe
Token: SeProfSingleProcessPrivilege	2692	run.exe
Token: SeIncBasePriorityPrivilege	2692	run.exe
Token: SeCreatePagefilePrivilege	2692	run.exe
Token: SeBackupPrivilege	2692	run.exe
Token: SeRestorePrivilege	2692	run.exe
Token: SeShutdownPrivilege	2692	run.exe
Token: SeDebugPrivilege	2692	run.exe
Token: SeSystemEnvironmentPrivilege	2692	run.exe
Token: SeChangeNotifyPrivilege	2692	run.exe
Token: SeRemoteShutdownPrivilege	2692	run.exe
Token: SeUndockPrivilege	2692	run.exe
Token: SeManageVolumePrivilege	2692	run.exe
Token: SeImpersonatePrivilege	2692	run.exe
Token: SeCreateGlobalPrivilege	2692	run.exe
Token: 33	2692	run.exe
Token: 34	2692	run.exe
Token: 35	2692	run.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	run.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30
PID 2264 wrote to memory of 2692	2264	run.exe	30

C:\Users\Admin\AppData\Local\Temp\Techno-Scape Client\run.exe
"C:\Users\Admin\AppData\Local\Temp\Techno-Scape Client\run.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\Techno-Scape Client\run.exe
  "C:\Users\Admin\AppData\Local\Temp\Techno-Scape Client\run.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Techno-Scape Client\run.exe

Filesize
430KB

MD5
e0d6a1a9287d1408cd21559123d7b240

SHA1
6bf371c744dcbafa061a3566e1e99c91ff134178

SHA256
0a62af46dcf7072571e40cd9d6091bb04b62e88e043496127b36871fb07b534a

SHA512
03bc5cd56f73fb1592544a719ca79cc8d867b3e0b0f4fc3e042ab3b4e4352417f37a4e9a8c3ba23df0c0d15d177fd9c2abf702c0310d04550f3f0bec9b24c3b8

Download Submit
memory/2264-0-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2692-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-11-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-8-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-4-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-2-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-12-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-15-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2692-16-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-18-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2692-22-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-25-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-26-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2692-29-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing