Overview

overview

10

Static

static

3

f816377ac4...91.exe

windows7-x64

10

f816377ac4...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    105s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/02/2025, 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f816377ac402ed2774e8d5e69e9fec2e7e02a95f820ca6ea00819fc47d91d691.exe

  • Size

    1.6MB

  • MD5

    0cb3cab82171b9ed0301c31deedb2976

  • SHA1

    e75ff793aca1d65b944e7823c8fec0d464795d59

  • SHA256

    f816377ac402ed2774e8d5e69e9fec2e7e02a95f820ca6ea00819fc47d91d691

  • SHA512

    579bb9ed177faef02430df1aed97f2761278c8a894a5930fa9c0c8afb0017fa91e2c92eba79cb1a03c6352f425a50088e73dd13976b9cd9158174bf4676f90b0

  • SSDEEP

    49152:opLAZG/fLlSMp4OqW8xX8/bc7svZkq08Y9sTOx:ClSMGOqjM/bcAxkq08Y9sG

Score
10/10
darkcometbunker 2discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Bunker 2

C2

fingers.no-ip.biz:4421

Mutex

DCMIN_MUTEX-0DWPKLM

Attributes
  • gencode

    wKcjsm51vLbU

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f816377ac402ed2774e8d5e69e9fec2e7e02a95f820ca6ea00819fc47d91d691.exe
    "C:\Users\Admin\AppData\Local\Temp\f816377ac402ed2774e8d5e69e9fec2e7e02a95f820ca6ea00819fc47d91d691.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\WLQIG\GYUFP.ZYEBU.KSRJL.vbe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\WLQIG\YJKQN.exe
        "C:\Users\Admin\WLQIG\YJKQN.exe" C:\Users\Admin\WLQIG\RIWIL
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Users\Admin\WLQIG\YJKQN.exe
          C:\Users\Admin\WLQIG\YJKQN.exe C:\Users\Admin\WLQIG\SAZUW
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1280
          • C:\Program Files\Internet Explorer\iexplore.exe
            C:\Users\Admin\WLQIG\SAZUW
            5⤵
              PID:2032
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\WLQIG\invoice1.pdf"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2804

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f228021d1d344a39b4fd285e27ca3448

      SHA1

      034383d835365f2742f7305e5174b854a57d3f2f

      SHA256

      4981378cfc283e8519e9870b7fe200f513fc697b104910788dcf28fde4069dfe

      SHA512

      052c5d55592c487b3abf711f6ccc64759f4be3de64a54faad4771841721b257360234ee3743918ced9379295975c0ce1b99a24acdb1ee3c2c29a27f240b3021d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d26cbe021f0ac0c6cf6d1f88ae9d2e95

      SHA1

      c37ac69679f887ab53282ee1569ecf5978891553

      SHA256

      5fbe68d8f4bda3584058f2f26fff020fc693318759262a203bc68a5330225e8b

      SHA512

      2147a72fc3345d9d3391b32b4bfcdc2137c85effa4402c2f481858fc9f5d6283482373a1d67606a307c9ca3b61477bead75e6c7511f626622c2c794b131b11f9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      254f1acd4e38832523790d7a5dd8642f

      SHA1

      f3be49ebcf317fdb6c86186c7e6588188ed99e2d

      SHA256

      f944863abd69089f9be4b1523faacbdd39f5bfdc205c673d1c71f6b0593befbb

      SHA512

      6fa193e9f593b9e8d3b2422f5368e519a72f7f2de19c4edaa349406965a101f0f553962f0d5b7c78000a873a06837ef344e182d73a5042859c8e043db6bdd8e5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      622c73217e4d14110a3ca5a0f113490a

      SHA1

      60f3ded3219bb86364cac1cc8da875e4dc45e6ac

      SHA256

      8a73bf0fb53b82692d3e1b2cc7ddad709ec7b29d44ab8913f16b17ea8e5410e5

      SHA512

      a9663406a9a83aa9e86a6a2d2bdb6dacdfd98b5ef4cab5031494a3403a4a6072ceb5730759074d568c6d9aa639b9e068a455c449d509b05c002977ce1aeeef61

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      44d3dfda9bc3c3c757ff6860c6972b2f

      SHA1

      5e1fac4bc7c0c34d9edcd641c21040a6499b5b12

      SHA256

      656589c956a9fab41c89376cd719052132e1d838fb602f276ba8b1bbbd1397f4

      SHA512

      3a0271f02703dd032c9ee5a9fca48f25edde6655b6bdcbc2147425ed7671bf286a3db5ec7ae92e8011d640027fa271c0303e3a6039dffd1bd7006b82d74c400d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ac40d13bed397311ce7985134d8b8326

      SHA1

      a1a79c644f761264578bb587e7af154b7fba28ec

      SHA256

      2ea98de0d4e27b1a86af1be15cf3e73f0bdff07e1dd57151a34d63ca952186bc

      SHA512

      a669093033981b5cfad8fd1625869853a177684d635948e6a35a3a286cc5c09caa7ca3141cb49cca068f26ec75880700412b0dc0d3bc72f1d9712110c6d0354b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabAE0E.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarB706.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Filesize

      3KB

      MD5

      6b148ce34307af7f6c2706f53bd265f6

      SHA1

      5725ad473db426b20cc5730fe063e7acf738c467

      SHA256

      5e2b0a8a36a65adb1752953ae89e077e6be31c6e5322ddaa0e707675b6125734

      SHA512

      7f1b1b379817130290959cf01e81f73284fd23d55797f97e32ef84d9a021a1ba120f57f27f1289ff256ac5ffa3371295ff09f8a862ba089d3f72ffed94e6969a

      Download Submit

    • C:\Users\Admin\WLQIG\GVWYQ
      Filesize

      32KB

      MD5

      09a2e2b052cd0f9f0ffb423922ea86c9

      SHA1

      a22e5fffe1eab03b807afdd5fd8520dabb76cd77

      SHA256

      8aed4bfc389262a7e34e51042e38c2af499114423cd94f676035bf46a04010be

      SHA512

      1a9502f569b7737885c2c793597872fa19d2a206fdb3f161e18d6856b89dfc035839834512f21a486de6e617e5a0a2c8e9a89351a2021a72f166826f8f57bf85

      Download Submit

    • C:\Users\Admin\WLQIG\GYUFP.ZYEBU.KSRJL.vbe
      Filesize

      1.4MB

      MD5

      02ac073d625a666bfb18d4fa6e8c0777

      SHA1

      c7a5b4c5dac48059c0fb79b3745b1dd6c878f713

      SHA256

      0bd76b4f7a72a103dbc5856256993b796a1320d6246fd52c05d161cf34482c5a

      SHA512

      d2288497f8f246c15b77d9f868949a97c562754b00c40f8e719791e5f68b90ae5cc83dbafd567727971f036cf9edf56f739bc42f577fa3588d386b3ef635509c

      Download Submit

    • C:\Users\Admin\WLQIG\RIWIL
      Filesize

      2KB

      MD5

      00956e8722817dc9c2804e404d16eb34

      SHA1

      9c0037311a4de6f32245e5ad080681646e465788

      SHA256

      8004ef08cd18d494baaf83e22f0eb939ac134f6447756fa22456fd51f57f2394

      SHA512

      974d1cbbf5c18b3baac2482da46691a5df98a30db070461c5cf592f25660ed2ed046c2476f61e544ac068d482afb28f9c663f7be612c2b6e9340f9203f66ab12

      Download Submit

    • C:\Users\Admin\WLQIG\SAZUW
      Filesize

      23KB

      MD5

      c7d4fc9888d09a56e1e8708af6b58d8c

      SHA1

      aab25c529a48c9befffc2881c55d0aadb9eb8815

      SHA256

      7aa3fc11548141258562a1240a925fb3fde39baa4b1f943e4bbc15dd234be9ef

      SHA512

      d24a7107c0ebccb469ed2e8783ee83bf29fe16c97e3dce397d0ca4dbfe38984d9cdabc18581fb625f585831b4281c140d9e443fe640b94dd1a4e3195c5e7ee35

      Download Submit

    • C:\Users\Admin\WLQIG\WIHLM
      Filesize

      658KB

      MD5

      e61a39713dd08928070b654bcc0bf6fd

      SHA1

      30b6e033b8134a52df649002262041ad11ad51c2

      SHA256

      b928f2d4d4f61fbe3d75a78d019c70727e88726e9248ea967c94ec4233019273

      SHA512

      c205c7cc8ecb3b59490448bb06def728744c59e7e01bbc5d694b35937ec064d0f97561afbf197d396c8763c24c65092f1e3aa1b7c5696952f467caa20c84b0ce

      Download Submit

    • C:\Users\Admin\WLQIG\YJKQN.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\Users\Admin\WLQIG\YMQGIX
      Filesize

      70KB

      MD5

      11a0f133e23f11379659a6cb26f044df

      SHA1

      d7c4db97ba359dcf2150cc95af87b9263059b59a

      SHA256

      e1673f2fc81653063c37bcdafceb88c56e6c2c370c8bcf3cb3aec724e83dfe08

      SHA512

      2baa4da9790d87bed280ecd30d4ad9063ededb580950b61822da015c6c20a4e63025473ee0766b8c3586330493c48aca183095a9afd67fd1fb234ac9b2a7fb69

      Download Submit

    • C:\Users\Admin\WLQIG\invoice1.pdf
      Filesize

      16KB

      MD5

      7deb228bf8842350a33eb8fa84eec259

      SHA1

      492bf2a627ac8eddd55f4740344019d3c8d1fed3

      SHA256

      50235875a3669f0c39350cfcf1d8cc7f6893eafccae1262b96cf0e90aaa24062

      SHA512

      eb90b4884bd74ffff9babb2c6a1df07d875158a4ac04aae5440a5e1631dc45c13b70a583323dea22ca8f4bfce722f26cf94f886305114784dd69c40e30b6a0c2

      Download Submit

    • memory/2932-45-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download