darkcomet | fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/02/2025, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
Size

964KB
MD5

6de092b2e07561a8de02d0dadea6599c
SHA1

620d5d728052e52b7b8efa18a56a07defb503e03
SHA256

fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba
SHA512

0cc1bd46b60971b7f333d194aebf3ce754eb63ead683883a2f09d2f2e84b94237e689a2db5ad03298d5411436196065246da32da86763658345a8fa26d8cc877
SSDEEP

24576:EUn1IgB1wd4EaaR9u68GGUEtUMefQMmNohkV:FIQEaaRM68MMPOh0

Score

10^/10

darkcomet above defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ABOVE

178.175.138.238:3900

Mutex

DC_MUTEX-NL7A6PY

Attributes

gencode
TyA5CrZCBJR3
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
3052	pilLk.exe

Loads dropped DLL 4 IoCs

pid	Process
2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\3yx7s9i68n = "C:\\Users\\Admin\\3yx7s9i68n\\27835.vbs"	pilLk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pilLk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 960	3052	pilLk.exe	31

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pilLk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe
3052	pilLk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	960	RegSvcs.exe
Token: SeSecurityPrivilege	960	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	960	RegSvcs.exe
Token: SeLoadDriverPrivilege	960	RegSvcs.exe
Token: SeSystemProfilePrivilege	960	RegSvcs.exe
Token: SeSystemtimePrivilege	960	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	960	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	960	RegSvcs.exe
Token: SeCreatePagefilePrivilege	960	RegSvcs.exe
Token: SeBackupPrivilege	960	RegSvcs.exe
Token: SeRestorePrivilege	960	RegSvcs.exe
Token: SeShutdownPrivilege	960	RegSvcs.exe
Token: SeDebugPrivilege	960	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	960	RegSvcs.exe
Token: SeChangeNotifyPrivilege	960	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	960	RegSvcs.exe
Token: SeUndockPrivilege	960	RegSvcs.exe
Token: SeManageVolumePrivilege	960	RegSvcs.exe
Token: SeImpersonatePrivilege	960	RegSvcs.exe
Token: SeCreateGlobalPrivilege	960	RegSvcs.exe
Token: 33	960	RegSvcs.exe
Token: 34	960	RegSvcs.exe
Token: 35	960	RegSvcs.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe
Token: SeDebugPrivilege	3052	pilLk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 2216 wrote to memory of 3052	2216	fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe	30
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31
PID 3052 wrote to memory of 960	3052	pilLk.exe	31

C:\Users\Admin\AppData\Local\Temp\fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe
"C:\Users\Admin\AppData\Local\Temp\fca47090b878fda8937de3c6621b7ceda0c640a7030a451b298862cca1d3b7ba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\3yx7s9i68n\pilLk.exe
  "C:\Users\Admin\3yx7s9i68n\pilLk.exe" UpdoPdAd.NRM
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3YX7S9~1\UUFBSJ~1.YGV

Filesize
251KB

MD5
e9e3ea4dd76698858501fc14380daeb3

SHA1
8b0141492eb7cbc65fb5ffa39fab5f7675e3a398

SHA256
f930be7fb46ca1067c0b5cf8f975ce862cbd82776d776dc48d8cf335ba4a8e22

SHA512
19998bd752f793f9f36f95a29c1556a848659c1ae2bfc729d8894e8d0f21d58544fe5c6f70dd08d18c0f205b96441b6a4ca9df1e3d95222f402b0f5c3676160a

Download Submit
C:\Users\Admin\3YX7S9~1\anKUJzEVqHJ.YSD

Filesize
115B

MD5
fc68647512f4208f13ee0b881a8ac579

SHA1
5f9e65bd60b75800dea393bd44ab5bc7da11e51a

SHA256
76dc4126e0d947e9405cf9eb81669294a9c2f651e00fcf660c7cb828dd5df1e5

SHA512
3e0e3ba634a73962c012cf8ec80d98e9812322bd17bdbcc9b67fb1bab503c5cde0c32aa8c69fdd7d9a7793db6b2b9c63ab30222b71ae3cfaf629c2baa8388273

Download Submit
C:\Users\Admin\3yx7s9i68n\UpdoPdAd.NRM

Filesize
40.6MB

MD5
e6f9073eff44d4948e3f80a86935f048

SHA1
51857a883c8a11d3f3b61cb1eccdb2fb3f9c02b8

SHA256
5d58b86264269f88ba788e6226dee040f174595d870a689a3377b09d86f85ba8

SHA512
76dd06954719d7e86bc21a66d1dad49a665af199541de096ab3caa3daba477c8c962c478353c7f815ce437da6609cd52dc5475ca0efc47365288dfdd21b59f81

Download Submit
\Users\Admin\3yx7s9i68n\pilLk.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
memory/960-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/960-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download