darkcomet | fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe
Size

500KB
MD5

7b0efc4e44f8bb612a1506db5ab5aa0e
SHA1

b71347881754796387238c3741b480f1e8c92b5e
SHA256

fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c
SHA512

2a00bb9541af1a1b22e8b4c55ba7ace3a64e2a27c052b7d78b55a1d1104fc046021784f079379bcf82947285bb5465f03d3b71f7546d61f156aac488bf3e4742
SSDEEP

12288:XHSqctaCAAEZOu8so1G51zlU1wM+AQYMyR00Z:XHSDa7JZOu8sbzU1IA7L+0Z

Score

10^/10

darkcomet defense_evasion discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe:ZONE.identifier	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 3304	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	83
PID 3216 wrote to memory of 3304	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	83
PID 3216 wrote to memory of 3304	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	83
PID 3216 wrote to memory of 4932	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	85
PID 3216 wrote to memory of 4932	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	85
PID 3216 wrote to memory of 2404	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	87
PID 3216 wrote to memory of 2404	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	87
PID 3216 wrote to memory of 2404	3216	fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe	87

C:\Users\Admin\AppData\Local\Temp\fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe
"C:\Users\Admin\AppData\Local\Temp\fe7e861f25edd070d70dd0551ef3ffa67bdd4e4527d07738b55bb60f38554a3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3304
- C:\Windows\SYSTEM32\cmd.exe
  "cmd"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4932
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3216-0-0x00007FFAB0555000-0x00007FFAB0556000-memory.dmp

Filesize
4KB

Download
memory/3216-1-0x000000001B710000-0x000000001BBDE000-memory.dmp

Filesize
4.8MB

Download
memory/3216-2-0x00007FFAB02A0000-0x00007FFAB0C41000-memory.dmp

Filesize
9.6MB

Download
memory/3216-4-0x00007FFAB02A0000-0x00007FFAB0C41000-memory.dmp

Filesize
9.6MB

Download
memory/3216-3-0x000000001B080000-0x000000001B126000-memory.dmp

Filesize
664KB

Download
memory/3216-5-0x000000001B130000-0x000000001B1AC000-memory.dmp

Filesize
496KB

Download
memory/3216-7-0x0000000000930000-0x0000000000935000-memory.dmp

Filesize
20KB

Download
memory/3216-9-0x000000001BDD0000-0x000000001BE85000-memory.dmp

Filesize
724KB

Download
memory/3216-11-0x00007FFAB02A0000-0x00007FFAB0C41000-memory.dmp

Filesize
9.6MB

Download