darkcomet | 314855348585bf77c0474f74a5b42bb4976b16f7305a4fed007c612e046f9f43

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phonex.exe
Size

9KB
MD5

21157c4318cfd772a2d81e76a18205fc
SHA1

b5a62729a394113530ead2c87ac21493933e7686
SHA256

3f0ac34162f3c586de4344115e1f7465deb913d6b718485efc48a91d59f28a8d
SHA512

ed2a76cd16acb7880e90851d954ac46329b093db841bc8bb42fae213ae25da5ffb41d0e0d2ce962f3df76eb42901387c3231bb6d7158067b70ed3707c70bc2e4
SSDEEP

192:LL3AXeUgZ83tDpV4NnlYJ3nLTqVpb3vI:LLTVZ83FpS6XLTcI

Score

10^/10

darkcomet guest16 discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

hawbashmessi.no-ip.org:1604

Mutex

DC_MUTEX-YUH2TWC

Attributes

gencode
wdDMkYoQ5N1p
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3540	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	phonex.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phonex.exe	90784.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phonex.exe	90784.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\config.xml	90784.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	90784.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 4348	4780	phonex.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90784.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phonex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4348	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4348	vbc.exe
Token: SeSecurityPrivilege	4348	vbc.exe
Token: SeTakeOwnershipPrivilege	4348	vbc.exe
Token: SeLoadDriverPrivilege	4348	vbc.exe
Token: SeSystemProfilePrivilege	4348	vbc.exe
Token: SeSystemtimePrivilege	4348	vbc.exe
Token: SeProfSingleProcessPrivilege	4348	vbc.exe
Token: SeIncBasePriorityPrivilege	4348	vbc.exe
Token: SeCreatePagefilePrivilege	4348	vbc.exe
Token: SeBackupPrivilege	4348	vbc.exe
Token: SeRestorePrivilege	4348	vbc.exe
Token: SeShutdownPrivilege	4348	vbc.exe
Token: SeDebugPrivilege	4348	vbc.exe
Token: SeSystemEnvironmentPrivilege	4348	vbc.exe
Token: SeChangeNotifyPrivilege	4348	vbc.exe
Token: SeRemoteShutdownPrivilege	4348	vbc.exe
Token: SeUndockPrivilege	4348	vbc.exe
Token: SeManageVolumePrivilege	4348	vbc.exe
Token: SeImpersonatePrivilege	4348	vbc.exe
Token: SeCreateGlobalPrivilege	4348	vbc.exe
Token: 33	4348	vbc.exe
Token: 34	4348	vbc.exe
Token: 35	4348	vbc.exe
Token: 36	4348	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	vbc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 4348	4780	phonex.exe	83
PID 4780 wrote to memory of 212	4780	phonex.exe	84
PID 4780 wrote to memory of 212	4780	phonex.exe	84
PID 4780 wrote to memory of 212	4780	phonex.exe	84
PID 212 wrote to memory of 2148	212	vbc.exe	86
PID 212 wrote to memory of 2148	212	vbc.exe	86
PID 212 wrote to memory of 2148	212	vbc.exe	86
PID 4348 wrote to memory of 1228	4348	vbc.exe	87
PID 4348 wrote to memory of 1228	4348	vbc.exe	87
PID 4348 wrote to memory of 1228	4348	vbc.exe	87
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 4348 wrote to memory of 4532	4348	vbc.exe	88
PID 1228 wrote to memory of 3540	1228	cmd.exe	90
PID 1228 wrote to memory of 3540	1228	cmd.exe	90
PID 1228 wrote to memory of 3540	1228	cmd.exe	90
PID 4780 wrote to memory of 1608	4780	phonex.exe	91
PID 4780 wrote to memory of 1608	4780	phonex.exe	91
PID 4780 wrote to memory of 1608	4780	phonex.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\phonex.exe
"C:\Users\Admin\AppData\Local\Temp\phonex.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3540
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xcsiiqnf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E15.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1AF5FF87C2844482936FFC6CEF979D6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Users\Admin\AppData\Roaming\90784.exe
  "C:\Users\Admin\AppData\Roaming\90784.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E15.tmp

Filesize
1KB

MD5
bf3537d6abd98d39267193c9c4de89e8

SHA1
35262f45dc49fd15eb34af0c8b607ca85631186a

SHA256
9fe5ffc6bbda67063cb3e23d9588be3b46ed00befbea5f73c062443ffe751c72

SHA512
90e19f96c0f79b18f532ecf024393f9e116a61ad91bd14cdb1604bc1f148d288a215a3a3687440e149b4123340aacaf59c1eae38e1fe84065433d472ca3753a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1AF5FF87C2844482936FFC6CEF979D6.TMP

Filesize
932B

MD5
73f2103ee1efcb3041849a8dce7206b7

SHA1
9846c882a29e42215a0db3cbe52788fe63898cd8

SHA256
b76f1dbc9670e6dd6dce73d32ebc9852fd201237a9645de2ac8ce089b8c04d39

SHA512
599d87c3d141b2660aa8dc0474fdab5e78e54e60df883f2c58f1214b2980f9a88ec65adddd992c44984e4caeca87d971b08ab4696cd553777719c1a9c6a90dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsiiqnf.0.vb

Filesize
1KB

MD5
3c461401090efdbda170de9d58af7b47

SHA1
bbb03aa924f4a64b8e02fd533becf4f87ead7248

SHA256
2d54b90258fb2e7118edd816686c7435f337f46417e399859a785d09581cff19

SHA512
5ef670dd7bbfc4f6a5401d88e133ca74b31003f76a27e58281779dfe732f999b938637a88ceaeb5c8a9bc27bbf9888ffaf63b18e8ddf960375d6782005252b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcsiiqnf.cmdline

Filesize
193B

MD5
8cad1c623dec81b93e51786e9c289dfd

SHA1
7c30278a87944c6e70987d5f0ec11d2ece0f655f

SHA256
795552d6cef4fc34f43805c68fe219c96acd1e9cd24e1b15d2132c730b566daf

SHA512
e712de573795b4ffbd240f78bc289a1520bf3cc904feb050fb3a7e4e1050d4e1b38db8db6721e0003589fd91fa095e48f70ef565695476dbfb506c2c22cf092e

Download Submit
C:\Users\Admin\AppData\Roaming\90784.exe

Filesize
7KB

MD5
f57cad595b8494e80c0d40286f3983d0

SHA1
0198a163e8c8de10ffaeced2f62f74ba500d63f3

SHA256
e0a9daaa4aa08a680c08ecaa0fdbd09a67c6c90d1c13da406179f365bed15b5f

SHA512
9f159a08276c79891f133e455490136100845c19efa39c4c4ea8c969929d65dbf96adb82848e0c1600bae797b01c348c7f1ce51d85aedfc88ebdff2cb27ee336

Download Submit
memory/212-21-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/212-12-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4348-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-46-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-40-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4348-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4532-24-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4780-32-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4780-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4780-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

Filesize
4KB

Download
memory/4780-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads