darkcomet | 9aed0cbba11197860a2b4d47e31d0561366b1380434b32c5e6a57c103e0bd40a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passw‮‮‮‮‮‮‮‮txt.scr
Size

1.2MB
MD5

77ca989ad6e7b03b45fae82a76033687
SHA1

0d12fc51c81dc320799daa675ebdf351d46a5573
SHA256

6ac3f0bd420b687c360daf61df09899b570d088479d4ba0eb1b934affbed3530
SHA512

6280ba36dc01aef0769209669086adb249b0b3db421c7859edef7028bbd65830cbe24aa21f7d36964983dfb9f117fe144556312a27f293e4973d150bb9733c04
SSDEEP

24576:iXxU5ks52tv1lETA6FEtDQk7rfunI7gB+M:rYF1lETA6FED7B7gB+M

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

marins.zapto.org:200

Mutex

DC_MUTEX-4P3XX1N

Attributes

gencode
aGYevwKbDrua
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	passw‮‮‮‮‮‮‮‮txt.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	passw‮‮‮‮‮‮‮‮txt.scr
Token: SeIncreaseQuotaPrivilege	2424	vbc.exe
Token: SeSecurityPrivilege	2424	vbc.exe
Token: SeTakeOwnershipPrivilege	2424	vbc.exe
Token: SeLoadDriverPrivilege	2424	vbc.exe
Token: SeSystemProfilePrivilege	2424	vbc.exe
Token: SeSystemtimePrivilege	2424	vbc.exe
Token: SeProfSingleProcessPrivilege	2424	vbc.exe
Token: SeIncBasePriorityPrivilege	2424	vbc.exe
Token: SeCreatePagefilePrivilege	2424	vbc.exe
Token: SeBackupPrivilege	2424	vbc.exe
Token: SeRestorePrivilege	2424	vbc.exe
Token: SeShutdownPrivilege	2424	vbc.exe
Token: SeDebugPrivilege	2424	vbc.exe
Token: SeSystemEnvironmentPrivilege	2424	vbc.exe
Token: SeChangeNotifyPrivilege	2424	vbc.exe
Token: SeRemoteShutdownPrivilege	2424	vbc.exe
Token: SeUndockPrivilege	2424	vbc.exe
Token: SeManageVolumePrivilege	2424	vbc.exe
Token: SeImpersonatePrivilege	2424	vbc.exe
Token: SeCreateGlobalPrivilege	2424	vbc.exe
Token: 33	2424	vbc.exe
Token: 34	2424	vbc.exe
Token: 35	2424	vbc.exe
Token: 36	2424	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	vbc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2436	956	passw‮‮‮‮‮‮‮‮txt.scr	83
PID 956 wrote to memory of 2436	956	passw‮‮‮‮‮‮‮‮txt.scr	83
PID 956 wrote to memory of 2436	956	passw‮‮‮‮‮‮‮‮txt.scr	83
PID 2436 wrote to memory of 2700	2436	vbc.exe	85
PID 2436 wrote to memory of 2700	2436	vbc.exe	85
PID 2436 wrote to memory of 2700	2436	vbc.exe	85
PID 956 wrote to memory of 3932	956	passw‮‮‮‮‮‮‮‮txt.scr	86
PID 956 wrote to memory of 3932	956	passw‮‮‮‮‮‮‮‮txt.scr	86
PID 956 wrote to memory of 3932	956	passw‮‮‮‮‮‮‮‮txt.scr	86
PID 3932 wrote to memory of 2036	3932	vbc.exe	88
PID 3932 wrote to memory of 2036	3932	vbc.exe	88
PID 3932 wrote to memory of 2036	3932	vbc.exe	88
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89
PID 956 wrote to memory of 2424	956	passw‮‮‮‮‮‮‮‮txt.scr	89

C:\Users\Admin\AppData\Local\Temp\passw‮‮‮‮‮‮‮‮txt.scr
"C:\Users\Admin\AppData\Local\Temp\passw‮‮‮‮‮‮‮‮txt.scr" /S
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmsrfp8r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA086.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3658523B547D46758936EE6F7F18984.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_oqyinkp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA25A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9EF607438FD48E0A0998E2623DC570.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA086.tmp

Filesize
1KB

MD5
26435519c2b47cae0dbc200540aedd3e

SHA1
c8e673d1294ae1bb7bb43bb0f83ba695268e5c1f

SHA256
278f0b7a2cb6d556461acf278f5461f6eda53576e8bb3ef727f1ca9c03ad6f62

SHA512
66b19043fef5ae836ba490aca4d2b73109360bb4a96c193e940e684271c4dd41f811c6d69f982f9978065a628eb4c84c4be82ad608ebce5a2bdf6d11366a541b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA25A.tmp

Filesize
1KB

MD5
0ae9725481f7bcd2070ddb51025f8fba

SHA1
0c5ce76413d217176ac0c36c3332f98d92b11702

SHA256
c2ba80904d0455fe8f666b4a485308f143ae9eca9a4a9c70595ee0328cac31ac

SHA512
8199c270216efd230726c0a06d1853c1050b254331c66f3e03ca35532efaadebcc4f104855503bd39a88ea00a66db9343787b405b49cf76f383b2eab09d046fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_oqyinkp.cmdline

Filesize
317B

MD5
bdb4cc21b703b1c791df5c818d99b7fb

SHA1
50e0991691f0570b1aed823552d5125380fd8b2a

SHA256
7e7debe24efa10da0a16e39d817c9dfcdf7c6b3990a1d78f4fb86074421b0cd0

SHA512
c555297eaf14474ed54912e1155bb6469e4ee92f3fcd6fb2a3cd869282265f95f6fe41f99e8ab6454f075109a55e824af87b3135b9f713bb746420cbd082bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_oqyinkp.dll

Filesize
6KB

MD5
5a7811b89cd9502070f968b0e6081469

SHA1
a0ebd9958b7e1184a99f936df573427e3d7959d4

SHA256
41a2d8d2b6a29b9e032325db803e0b057429b1d3bcd6e1e9f27c293fef28aa44

SHA512
647cfa36b364be16d2a92a987c1a4d37385aa0b884d5267120f386f39a72ac18d5dd4986a10d8846dd26e915c3dcee5c048bcdc6e726efa9c7a9b44dd6bfab6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmsrfp8r.0.vb

Filesize
254B

MD5
36757aabf0e4f39dfa4e7d0e2c0506fd

SHA1
3bebb1de5f217019420de8336b66b8768502cb41

SHA256
97b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df

SHA512
67abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmsrfp8r.cmdline

Filesize
317B

MD5
e12058c0156a0aac7b032c930daea8b5

SHA1
af567862e5644396f9a2c72d399539a2adbf3f4a

SHA256
d16583000b48e14241de8b6ece537e7a6cdb5f9840a7527a47a0fc9e71344806

SHA512
b09cc3ea569b8d67c28af23dc4b8375939189b59fc314d39b42376974472d69041d0625a09083adec50ee3b92ef58b3f8c2936e83dd621517fadb974ac072590

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmsrfp8r.dll

Filesize
6KB

MD5
45f3d3a6ac677274575b9dfcab06eb6c

SHA1
d7e7b3b31bb0a9e6951a6d918d92b5f4b622e41f

SHA256
3ec3c88b52058a72518df3acac245ef6d006bff7e89459fd739014222de6d1ee

SHA512
aafbac85d1e9443f3cc61a0adfaf44323be7225e612afcb795847035dceebb5a77878db94e1a5b3cb1c54d7cff308b5511aeb5fb6692389b7f8ae062490d097c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3658523B547D46758936EE6F7F18984.TMP

Filesize
652B

MD5
f0fc63689e74d409b41e4c88bcc6f7be

SHA1
5a64cf392a20edc557d474ad846f11d84e6b2b32

SHA256
c442cfc07ca3e0a8c3a064cf92786c93cf1d402da18b54407bbe791d10a7fd3a

SHA512
0609d0479e12e548ea78c78a77131cdc6837f29335f20d180bea640cf847b49425a97c93a8b94668c6215170fa474004571dda72e2a675330f50ac816fa13009

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9EF607438FD48E0A0998E2623DC570.TMP

Filesize
652B

MD5
bbe5c4d4c61c8dc19c95748bebcd773e

SHA1
52974d2f3eaf13da4099d8560f52f4710c84c6d5

SHA256
b56cb4a2b25be874970f6cae0588136a30f147fa0369eacdbe76eb7589ac0ece

SHA512
9c83c5b97200c20becd06b0880ea5f9e0ee752722de554651c4869392f405401cc11df766edd5010a25934467a6598874b8005d25819e93a7bee9cff02fdeb8b

Download Submit
memory/956-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/956-40-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/956-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/956-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2424-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-52-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-46-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-47-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-48-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-49-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-50-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-51-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-54-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2424-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2436-7-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2436-16-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3932-32-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3932-24-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download