darkcomet | dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/02/2025, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
Size

964KB
MD5

684ccaf0a9ef445cbbc8580921e1d900
SHA1

b3ddc721476d552d58b8177ba8824ecc1de03bd7
SHA256

dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5
SHA512

a3cfefdd2df560f18359ee4c1f3d8a7b27516be525251e5dd3a685c5af0ecdfc859e6203de5f1e4f2956ff7ce22799b0daa3f2bb9b3d2dfec93485869c25e591
SSDEEP

24576:EUn1IgB1wd4EaaR9u68GGUEtUMefQMmNohkX:FIQEaaRM68MMPOhM

Score

10^/10

darkcomet above defense_evasion discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ABOVE

178.175.138.238:3900

Mutex

DC_MUTEX-NL7A6PY

Attributes

gencode
TyA5CrZCBJR3
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2708	pilLk.exe

Loads dropped DLL 4 IoCs

pid	Process
1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\3yx7s9i68n = "C:\\Users\\Admin\\3yx7s9i68n\\27835.vbs"	pilLk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pilLk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2684	2708	pilLk.exe	31

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2684-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2684-33-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2684-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2684-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2684-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pilLk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe
2708	pilLk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeIncreaseQuotaPrivilege	2684	RegSvcs.exe
Token: SeSecurityPrivilege	2684	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	2684	RegSvcs.exe
Token: SeLoadDriverPrivilege	2684	RegSvcs.exe
Token: SeSystemProfilePrivilege	2684	RegSvcs.exe
Token: SeSystemtimePrivilege	2684	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	2684	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2684	RegSvcs.exe
Token: SeCreatePagefilePrivilege	2684	RegSvcs.exe
Token: SeBackupPrivilege	2684	RegSvcs.exe
Token: SeRestorePrivilege	2684	RegSvcs.exe
Token: SeShutdownPrivilege	2684	RegSvcs.exe
Token: SeDebugPrivilege	2684	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	2684	RegSvcs.exe
Token: SeChangeNotifyPrivilege	2684	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	2684	RegSvcs.exe
Token: SeUndockPrivilege	2684	RegSvcs.exe
Token: SeManageVolumePrivilege	2684	RegSvcs.exe
Token: SeImpersonatePrivilege	2684	RegSvcs.exe
Token: SeCreateGlobalPrivilege	2684	RegSvcs.exe
Token: 33	2684	RegSvcs.exe
Token: 34	2684	RegSvcs.exe
Token: 35	2684	RegSvcs.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe
Token: SeDebugPrivilege	2708	pilLk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 1740 wrote to memory of 2708	1740	dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe	30
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31
PID 2708 wrote to memory of 2684	2708	pilLk.exe	31

C:\Users\Admin\AppData\Local\Temp\dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe
"C:\Users\Admin\AppData\Local\Temp\dada691679ed350177d465ec4f82d5726d150fbfe244b352c002967ad0e9d6c5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\3yx7s9i68n\pilLk.exe
  "C:\Users\Admin\3yx7s9i68n\pilLk.exe" UpdoPdAd.NRM
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3YX7S9~1\UUFBSJ~1.YGV

Filesize
251KB

MD5
e9e3ea4dd76698858501fc14380daeb3

SHA1
8b0141492eb7cbc65fb5ffa39fab5f7675e3a398

SHA256
f930be7fb46ca1067c0b5cf8f975ce862cbd82776d776dc48d8cf335ba4a8e22

SHA512
19998bd752f793f9f36f95a29c1556a848659c1ae2bfc729d8894e8d0f21d58544fe5c6f70dd08d18c0f205b96441b6a4ca9df1e3d95222f402b0f5c3676160a

Download Submit
C:\Users\Admin\3YX7S9~1\anKUJzEVqHJ.YSD

Filesize
115B

MD5
fc68647512f4208f13ee0b881a8ac579

SHA1
5f9e65bd60b75800dea393bd44ab5bc7da11e51a

SHA256
76dc4126e0d947e9405cf9eb81669294a9c2f651e00fcf660c7cb828dd5df1e5

SHA512
3e0e3ba634a73962c012cf8ec80d98e9812322bd17bdbcc9b67fb1bab503c5cde0c32aa8c69fdd7d9a7793db6b2b9c63ab30222b71ae3cfaf629c2baa8388273

Download Submit
C:\Users\Admin\3yx7s9i68n\UpdoPdAd.NRM

Filesize
40.6MB

MD5
e6f9073eff44d4948e3f80a86935f048

SHA1
51857a883c8a11d3f3b61cb1eccdb2fb3f9c02b8

SHA256
5d58b86264269f88ba788e6226dee040f174595d870a689a3377b09d86f85ba8

SHA512
76dd06954719d7e86bc21a66d1dad49a665af199541de096ab3caa3daba477c8c962c478353c7f815ce437da6609cd52dc5475ca0efc47365288dfdd21b59f81

Download Submit
\Users\Admin\3yx7s9i68n\pilLk.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
memory/2684-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-33-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2684-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download