darkcomet | 9aed0cbba11197860a2b4d47e31d0561366b1380434b32c5e6a57c103e0bd40a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passw‮‮‮‮‮‮‮‮txt.scr
Size

1.2MB
MD5

77ca989ad6e7b03b45fae82a76033687
SHA1

0d12fc51c81dc320799daa675ebdf351d46a5573
SHA256

6ac3f0bd420b687c360daf61df09899b570d088479d4ba0eb1b934affbed3530
SHA512

6280ba36dc01aef0769209669086adb249b0b3db421c7859edef7028bbd65830cbe24aa21f7d36964983dfb9f117fe144556312a27f293e4973d150bb9733c04
SSDEEP

24576:iXxU5ks52tv1lETA6FEtDQk7rfunI7gB+M:rYF1lETA6FED7B7gB+M

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

marins.zapto.org:200

Mutex

DC_MUTEX-4P3XX1N

Attributes

gencode
aGYevwKbDrua
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	passw‮‮‮‮‮‮‮‮txt.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	passw‮‮‮‮‮‮‮‮txt.scr
Token: SeIncreaseQuotaPrivilege	2724	vbc.exe
Token: SeSecurityPrivilege	2724	vbc.exe
Token: SeTakeOwnershipPrivilege	2724	vbc.exe
Token: SeLoadDriverPrivilege	2724	vbc.exe
Token: SeSystemProfilePrivilege	2724	vbc.exe
Token: SeSystemtimePrivilege	2724	vbc.exe
Token: SeProfSingleProcessPrivilege	2724	vbc.exe
Token: SeIncBasePriorityPrivilege	2724	vbc.exe
Token: SeCreatePagefilePrivilege	2724	vbc.exe
Token: SeBackupPrivilege	2724	vbc.exe
Token: SeRestorePrivilege	2724	vbc.exe
Token: SeShutdownPrivilege	2724	vbc.exe
Token: SeDebugPrivilege	2724	vbc.exe
Token: SeSystemEnvironmentPrivilege	2724	vbc.exe
Token: SeChangeNotifyPrivilege	2724	vbc.exe
Token: SeRemoteShutdownPrivilege	2724	vbc.exe
Token: SeUndockPrivilege	2724	vbc.exe
Token: SeManageVolumePrivilege	2724	vbc.exe
Token: SeImpersonatePrivilege	2724	vbc.exe
Token: SeCreateGlobalPrivilege	2724	vbc.exe
Token: 33	2724	vbc.exe
Token: 34	2724	vbc.exe
Token: 35	2724	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2724	vbc.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1672	1704	passw‮‮‮‮‮‮‮‮txt.scr	30
PID 1704 wrote to memory of 1672	1704	passw‮‮‮‮‮‮‮‮txt.scr	30
PID 1704 wrote to memory of 1672	1704	passw‮‮‮‮‮‮‮‮txt.scr	30
PID 1704 wrote to memory of 1672	1704	passw‮‮‮‮‮‮‮‮txt.scr	30
PID 1672 wrote to memory of 1336	1672	vbc.exe	32
PID 1672 wrote to memory of 1336	1672	vbc.exe	32
PID 1672 wrote to memory of 1336	1672	vbc.exe	32
PID 1672 wrote to memory of 1336	1672	vbc.exe	32
PID 1704 wrote to memory of 2396	1704	passw‮‮‮‮‮‮‮‮txt.scr	33
PID 1704 wrote to memory of 2396	1704	passw‮‮‮‮‮‮‮‮txt.scr	33
PID 1704 wrote to memory of 2396	1704	passw‮‮‮‮‮‮‮‮txt.scr	33
PID 1704 wrote to memory of 2396	1704	passw‮‮‮‮‮‮‮‮txt.scr	33
PID 2396 wrote to memory of 1244	2396	vbc.exe	35
PID 2396 wrote to memory of 1244	2396	vbc.exe	35
PID 2396 wrote to memory of 1244	2396	vbc.exe	35
PID 2396 wrote to memory of 1244	2396	vbc.exe	35
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36
PID 1704 wrote to memory of 2724	1704	passw‮‮‮‮‮‮‮‮txt.scr	36

C:\Users\Admin\AppData\Local\Temp\passw‮‮‮‮‮‮‮‮txt.scr
"C:\Users\Admin\AppData\Local\Temp\passw‮‮‮‮‮‮‮‮txt.scr" /S
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgpye3fc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB92.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgtwsgnu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC1E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB93.tmp

Filesize
1KB

MD5
0a08ec07b23f1007fcba65ac38b47a11

SHA1
03ff56201799c4db372b1bf53c45a310003334dd

SHA256
a6505068278b26580205b9e301b1ebd8ec8351d81228f324937bac2c18b9bf3c

SHA512
fa1f8f0f377e2ab80cade7388345d58db230b4299052f82f10f02aef3e7e5cf64f084fabee8d82c0b972cdac2ecdf2f63545ae119e4fd29880fe8cbe66b6af01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC1F.tmp

Filesize
1KB

MD5
e2c4d5b38ffa83082ee250e6b2e203f5

SHA1
34e79988674294cd70c8970fd4d95a239b445050

SHA256
79a197beed26c5803d96fd94d3624c7d3c6d37ab6016a28854c1e5a081c8bee3

SHA512
f3ecbb29dd77c91eb045e05976c2ecef70445755b24e4f66e0e07c010c0bdac227ef255a2f9a4f95de012e47bd0550f7dea0e7e77aeb03008c126deefe756ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgpye3fc.0.vb

Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgpye3fc.cmdline

Filesize
317B

MD5
000b72759b7d881cec385ae55bac22e3

SHA1
9f665ca20d6a225b2579ccd62c5a3862bef6fbd1

SHA256
32865a3bf3958ae14e21ec6a2587851297e3cbe5fe9d749b14ae811f8532d877

SHA512
764f186dd65963fb614b1174da0f20c997938a6034fd2eab177750249309aa62fa1ab8a24c0936b6dce24ef2eb6594ef9d29d89bee6d7b6b69e46a61d5296d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgpye3fc.dll

Filesize
6KB

MD5
02456d5a1d1e3d7a0090c9020e7e0fbe

SHA1
057b084fff32a4d622f96425cb16a7c18d0a1e37

SHA256
63d8878b79930df9f44f33ab4fb051f430993e44ac5d123aa3300eb4f8e59a80

SHA512
023ddacc0a9ca2e51e838ec02dca6eb3fc1a0fced677c6a0507ac7588e6136de892f7449e0f8d5b2dcd0767b8fb58383104aea703a72a6bd5d9e20f9f4b064a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBB92.tmp

Filesize
652B

MD5
0dec48a2c728c6a33a97a17669cc3e79

SHA1
ba301ad2f9b25336fb83050a9feebe3562d58e4a

SHA256
ddd78c3e7aae795ce83b83a067f95dfeb1090a994a8159c06041a1df2e02e8ba

SHA512
3a01d497b87aed4a178fcbd116754f66218f351748f38fac1a3aa7f3e1317bf56dc08131ad3fac660e1db2f6509c8c0a07aa5b506dcdf416839ccfe94abe4a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC1E.tmp

Filesize
652B

MD5
d08bce3671d12135f5dee3b9f530df44

SHA1
960082e5985518167c96a6b8c5b7506380742826

SHA256
3b8a48ab4d9de55d1cefec249132839f3c12f2f73f8b9040a0c2b4adbfaf7224

SHA512
7707a8199e1be16074e2730b5bf395f826cd7b1a99ce656f1cc7c9048a581533ddcceb4fae3d1b4a806a482d931f775bffbb5b938e36e911b03a796323ef7204

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgtwsgnu.cmdline

Filesize
317B

MD5
fb2d4891e0d6965dd1911cc06db5f236

SHA1
ecabd18b0d1b310ced895e4a0373ca3d03b552fa

SHA256
2dfc77958e43fd59d8e444208c9945d3bcd58b8dc14c8155e06704bb0ecb75dc

SHA512
947142b446023ee18c770afde69432cddc154854c6a37a6a6b893c050f2993812fe482b9ef0206977b426776b572e4ef03a3ac3db8c3579501b74b2708002af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgtwsgnu.dll

Filesize
6KB

MD5
1170b6f56cd31ade93f0970b36ff0f9f

SHA1
af4ab8df2e76f31b9d98a1a505c8592468fe2166

SHA256
3ff52547bda09f0508250636194bc909042ad6d6c4cefd731cab2c8b257f37d7

SHA512
a287240e9a58150006b62a7ceb5dfed2919ab3b987c7fe7eb85e40c5a0274aa499f10d4353b79542a73513a44090640d4f972f6c6c8221876439c570de470efe

Download Submit
memory/1672-7-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-16-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-2-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

Filesize
4KB

Download
memory/1704-1-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/1704-51-0x0000000074F20000-0x00000000754CB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download