darkcomet | 734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322e

General

Target

734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
Size

520KB
MD5

ead518469e56fd742ed1955f744285e0
SHA1

d78a93bc65d01bbb505f58031a74a9a7219bd434
SHA256

734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322e
SHA512

cb4f39e081d400169d721a501ed97a094fb0a18b6980b4c8a60b4fa5c1da5be91bf5517ddb35b1e71d0f205c5e218ff74e71ecd435fb8bce105afe92c0cae3bf
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbL:f9fC3hh29Ya77A90aFtDfT5IMbL

Score

10^/10

darkcomet privateeye discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

C2

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

744 winupd.exe
384 winupd.exe
1712 winupd.exe

pid	process
744	winupd.exe
384	winupd.exe
1712	winupd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exewinupd.exe

description	pid	process	target process
PID 1832 set thread context of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 744 set thread context of 384	744	winupd.exe	winupd.exe
PID 744 set thread context of 1712	744	winupd.exe	winupd.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1712-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-32-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1712-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 5024 WerFault.exe ipconfig.exe

pid	pid_target	process	target process
2492	5024	WerFault.exe	ipconfig.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winupd.exewinupd.exewinupd.exe734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

5024 ipconfig.exe

pid	process
5024	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1712	winupd.exe
Token: SeSecurityPrivilege	1712	winupd.exe
Token: SeTakeOwnershipPrivilege	1712	winupd.exe
Token: SeLoadDriverPrivilege	1712	winupd.exe
Token: SeSystemProfilePrivilege	1712	winupd.exe
Token: SeSystemtimePrivilege	1712	winupd.exe
Token: SeProfSingleProcessPrivilege	1712	winupd.exe
Token: SeIncBasePriorityPrivilege	1712	winupd.exe
Token: SeCreatePagefilePrivilege	1712	winupd.exe
Token: SeBackupPrivilege	1712	winupd.exe
Token: SeRestorePrivilege	1712	winupd.exe
Token: SeShutdownPrivilege	1712	winupd.exe
Token: SeDebugPrivilege	1712	winupd.exe
Token: SeSystemEnvironmentPrivilege	1712	winupd.exe
Token: SeChangeNotifyPrivilege	1712	winupd.exe
Token: SeRemoteShutdownPrivilege	1712	winupd.exe
Token: SeUndockPrivilege	1712	winupd.exe
Token: SeManageVolumePrivilege	1712	winupd.exe
Token: SeImpersonatePrivilege	1712	winupd.exe
Token: SeCreateGlobalPrivilege	1712	winupd.exe
Token: 33	1712	winupd.exe
Token: 34	1712	winupd.exe
Token: 35	1712	winupd.exe
Token: 36	1712	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exewinupd.exewinupd.exewinupd.exe

pid	process
1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
1968	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
744	winupd.exe
384	winupd.exe
1712	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exewinupd.exewinupd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1832 wrote to memory of 1968	1832	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
PID 1968 wrote to memory of 744	1968	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	winupd.exe
PID 1968 wrote to memory of 744	1968	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	winupd.exe
PID 1968 wrote to memory of 744	1968	734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 384	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 744 wrote to memory of 1712	744	winupd.exe	winupd.exe
PID 384 wrote to memory of 5024	384	winupd.exe	ipconfig.exe
PID 384 wrote to memory of 5024	384	winupd.exe	ipconfig.exe
PID 384 wrote to memory of 5024	384	winupd.exe	ipconfig.exe
PID 384 wrote to memory of 5024	384	winupd.exe	ipconfig.exe
PID 384 wrote to memory of 5024	384	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
"C:\Users\Admin\AppData\Local\Temp\734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe
  "C:\Users\Admin\AppData\Local\Temp\734478e466032b203f7777fc9154fa18ab78879ddff88007554661a2ae15322eN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 272
        6⤵
        Program crash
        
        PID:2492
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
520KB

MD5
6043dcf656bc58860f5a84534acd74f5

SHA1
f137d5e01d7258dd0a98d3e6d5081a598e3c20e8

SHA256
b07111d98955cf7c6012092aae6bd333f7e0cfa8b0aaff3ab5065691330d42c4

SHA512
27ef5a9ccaf7b46bb074f367b18e287e8476b36ae322b5d257c44acdfd788b6de322133424f0f40369fc96a8c71ccc72ed9ae60fe8de40f29c040a51e9a78f2f

Download Submit
memory/384-44-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/744-37-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/744-24-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/744-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1712-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-32-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1712-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1832-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-4-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1832-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1832-3-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1832-10-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1968-5-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1968-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1968-21-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1968-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads