darkcomet | 554ba8585577dce1573b9b1a43607fed63d70f8cd38e9ab7bf7b8df219453ad1

General

Target

Bloxstrap v281.exe
Size

11.9MB
MD5

0be784b86944b7a9bf441f7a162c5063
SHA1

c9c4b60ceecbecd97ccfbb32a5ace6792b13b87e
SHA256

554ba8585577dce1573b9b1a43607fed63d70f8cd38e9ab7bf7b8df219453ad1
SHA512

f4381fc9164629e93c0e5f459b99831c6b1825640104081a0370136e3d539fbc9bedab89b459b4583aec75ed5352abafbd05fbcdfc8d64819b8f9e2abe4b2086
SSDEEP

98304:o1qZ+pv3Tscod5DFasb/r5vGWD3EOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTlGK:o1qZ+pLscVsb/r5vGlObAbN0t

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

saw-shirts.gl.at.ply.gg:4164

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
Bloxstrap.exe
gencode
3zEvf95rCogr
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Executes dropped EXE 3 IoCs

Processes:

BLOXSTRAP-V2.8.1 (1).EXEBLOXSTRAP.EXE

pid process

2872 BLOXSTRAP-V2.8.1 (1).EXE
2684 BLOXSTRAP.EXE
1196
Loads dropped DLL 3 IoCs

Processes:

Bloxstrap v281.exe

pid process

2868 Bloxstrap v281.exe
2868 Bloxstrap v281.exe
2868 Bloxstrap v281.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2872	BLOXSTRAP-V2.8.1 (1).EXE
2684	BLOXSTRAP.EXE
1196

pid	process
2868	Bloxstrap v281.exe
2868	Bloxstrap v281.exe
2868	Bloxstrap v281.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bloxstrap v281.exeBLOXSTRAP.EXEnotepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxstrap v281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLOXSTRAP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

BLOXSTRAP.EXE

pid	process
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE
2684	BLOXSTRAP.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

BLOXSTRAP.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	2684	BLOXSTRAP.EXE
Token: SeSecurityPrivilege	2684	BLOXSTRAP.EXE
Token: SeTakeOwnershipPrivilege	2684	BLOXSTRAP.EXE
Token: SeLoadDriverPrivilege	2684	BLOXSTRAP.EXE
Token: SeSystemProfilePrivilege	2684	BLOXSTRAP.EXE
Token: SeSystemtimePrivilege	2684	BLOXSTRAP.EXE
Token: SeProfSingleProcessPrivilege	2684	BLOXSTRAP.EXE
Token: SeIncBasePriorityPrivilege	2684	BLOXSTRAP.EXE
Token: SeCreatePagefilePrivilege	2684	BLOXSTRAP.EXE
Token: SeBackupPrivilege	2684	BLOXSTRAP.EXE
Token: SeRestorePrivilege	2684	BLOXSTRAP.EXE
Token: SeShutdownPrivilege	2684	BLOXSTRAP.EXE
Token: SeDebugPrivilege	2684	BLOXSTRAP.EXE
Token: SeSystemEnvironmentPrivilege	2684	BLOXSTRAP.EXE
Token: SeChangeNotifyPrivilege	2684	BLOXSTRAP.EXE
Token: SeRemoteShutdownPrivilege	2684	BLOXSTRAP.EXE
Token: SeUndockPrivilege	2684	BLOXSTRAP.EXE
Token: SeManageVolumePrivilege	2684	BLOXSTRAP.EXE
Token: SeImpersonatePrivilege	2684	BLOXSTRAP.EXE
Token: SeCreateGlobalPrivilege	2684	BLOXSTRAP.EXE
Token: 33	2684	BLOXSTRAP.EXE
Token: 34	2684	BLOXSTRAP.EXE
Token: 35	2684	BLOXSTRAP.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BLOXSTRAP.EXE

pid process

2684 BLOXSTRAP.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Bloxstrap v281.exeBLOXSTRAP.EXE

description	pid	process	target process
PID 2868 wrote to memory of 2872	2868	Bloxstrap v281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2868 wrote to memory of 2872	2868	Bloxstrap v281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2868 wrote to memory of 2872	2868	Bloxstrap v281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2868 wrote to memory of 2872	2868	Bloxstrap v281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2868 wrote to memory of 2684	2868	Bloxstrap v281.exe	BLOXSTRAP.EXE
PID 2868 wrote to memory of 2684	2868	Bloxstrap v281.exe	BLOXSTRAP.EXE
PID 2868 wrote to memory of 2684	2868	Bloxstrap v281.exe	BLOXSTRAP.EXE
PID 2868 wrote to memory of 2684	2868	Bloxstrap v281.exe	BLOXSTRAP.EXE
PID 2684 wrote to memory of 3040	2684	BLOXSTRAP.EXE	iexplore.exe
PID 2684 wrote to memory of 3040	2684	BLOXSTRAP.EXE	iexplore.exe
PID 2684 wrote to memory of 3040	2684	BLOXSTRAP.EXE	iexplore.exe
PID 2684 wrote to memory of 3040	2684	BLOXSTRAP.EXE	iexplore.exe
PID 2684 wrote to memory of 3064	2684	BLOXSTRAP.EXE	explorer.exe
PID 2684 wrote to memory of 3064	2684	BLOXSTRAP.EXE	explorer.exe
PID 2684 wrote to memory of 3064	2684	BLOXSTRAP.EXE	explorer.exe
PID 2684 wrote to memory of 3064	2684	BLOXSTRAP.EXE	explorer.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe
PID 2684 wrote to memory of 1644	2684	BLOXSTRAP.EXE	notepad.exe

C:\Users\Admin\AppData\Local\Temp\Bloxstrap v281.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap v281.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE
  "C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:3040
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE

Filesize
660KB

MD5
4d734f4366e741c2dcdffeb170b267ff

SHA1
b659aa63fb1799294df03af19a7f3656afbf78ac

SHA256
7035b553d2a0117d081c5d567710d6fc10c7de2b37880502cc1c20613ccc39f2

SHA512
aea127a538d10b9dec114f105728b1c2edeb10b32ab34afc257acdbac65eed82b44dabb35914cd4313b170270f01fd2b120494b76fe656fe8abe9e1b06e84819

Download Submit
memory/1644-18-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1644-55-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2684-15-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2684-57-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads