darkcomet | b424e3d922c7553b3891fa320bdf747d5a848062155921dd84c75666ec44190b

General

Target

340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe
Size

408KB
MD5

ad4998599d4813eab96545d795bcbd67
SHA1

7e9918c15c69e44872b15162e88bd43ffd093e39
SHA256

340a76bbe6ff68f16a5764d5d0c16e3d69963586b7615eba1b0b7eb2927c71b8
SHA512

7b39377cbd58c4686e376ab16ae4024b692151713ce9438e313578c51b768b0ad14fe4307e962b2208a9ee3ddf8499cf0a64afa267be6169bdb9ca53dec48ddc
SSDEEP

6144:dIojNbr2bmNsuZZDjTmAvDZVI+R0a1j30VmMTyA9w+XTDqHpRx5pH8ztpRBW:dF2bm6ubjKALZ7mUoYYwdH+ztp

Score

10^/10

darkcomet adob discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

adob

C2

clientts.ddns.net:11423

Mutex

DCMIN_MUTEX-4J4LMH5

Attributes

gencode
F3mMt9kNpP7F
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2056	svhost.exe
2556	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Eninan = "C:\\ProgramData\\Microsoft\\Eninan.url"	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2584	2056	svhost.exe	33

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-32-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2584-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2056	svhost.exe
2056	svhost.exe
2056	svhost.exe
2056	svhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	svhost.exe
Token: SeIncreaseQuotaPrivilege	2584	regasm.exe
Token: SeSecurityPrivilege	2584	regasm.exe
Token: SeTakeOwnershipPrivilege	2584	regasm.exe
Token: SeLoadDriverPrivilege	2584	regasm.exe
Token: SeSystemProfilePrivilege	2584	regasm.exe
Token: SeSystemtimePrivilege	2584	regasm.exe
Token: SeProfSingleProcessPrivilege	2584	regasm.exe
Token: SeIncBasePriorityPrivilege	2584	regasm.exe
Token: SeCreatePagefilePrivilege	2584	regasm.exe
Token: SeBackupPrivilege	2584	regasm.exe
Token: SeRestorePrivilege	2584	regasm.exe
Token: SeShutdownPrivilege	2584	regasm.exe
Token: SeDebugPrivilege	2584	regasm.exe
Token: SeSystemEnvironmentPrivilege	2584	regasm.exe
Token: SeChangeNotifyPrivilege	2584	regasm.exe
Token: SeRemoteShutdownPrivilege	2584	regasm.exe
Token: SeUndockPrivilege	2584	regasm.exe
Token: SeManageVolumePrivilege	2584	regasm.exe
Token: SeImpersonatePrivilege	2584	regasm.exe
Token: SeCreateGlobalPrivilege	2584	regasm.exe
Token: 33	2584	regasm.exe
Token: 34	2584	regasm.exe
Token: 35	2584	regasm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2584	regasm.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2056	2336	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe	31
PID 2336 wrote to memory of 2056	2336	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe	31
PID 2336 wrote to memory of 2056	2336	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe	31
PID 2336 wrote to memory of 2056	2336	340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe	31
PID 2056 wrote to memory of 2556	2056	svhost.exe	32
PID 2056 wrote to memory of 2556	2056	svhost.exe	32
PID 2056 wrote to memory of 2556	2056	svhost.exe	32
PID 2056 wrote to memory of 2556	2056	svhost.exe	32
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33
PID 2056 wrote to memory of 2584	2056	svhost.exe	33

C:\Users\Admin\AppData\Local\Temp\340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe
"C:\Users\Admin\AppData\Local\Temp\340A76BBE6FF68F16A5764D5D0C16E3D69963586B7615EBA1B0B7EB2927C71B8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\ProgramData\Microsoft\svhost.exe
  "C:\ProgramData\Microsoft\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\ProgramData\Microsoft\svhost.exe
    "C:\ProgramData\Microsoft\svhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\svhost.exe

Filesize
408KB

MD5
ad4998599d4813eab96545d795bcbd67

SHA1
7e9918c15c69e44872b15162e88bd43ffd093e39

SHA256
340a76bbe6ff68f16a5764d5d0c16e3d69963586b7615eba1b0b7eb2927c71b8

SHA512
7b39377cbd58c4686e376ab16ae4024b692151713ce9438e313578c51b768b0ad14fe4307e962b2208a9ee3ddf8499cf0a64afa267be6169bdb9ca53dec48ddc

Download Submit
memory/2056-22-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-21-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-20-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-17-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-18-0x0000000000FE0000-0x000000000104A000-memory.dmp

Filesize
424KB

Download
memory/2336-6-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x00000000013D0000-0x000000000143A000-memory.dmp

Filesize
424KB

Download
memory/2336-8-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2336-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2336-19-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-5-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2336-4-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-3-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/2336-2-0x00000000011C0000-0x000000000122E000-memory.dmp

Filesize
440KB

Download
memory/2336-7-0x00000000743D0000-0x0000000074ABE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-32-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2584-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads