darkcomet | 9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
Size

1.1MB
MD5

971e273f808bae7da52ad62dbb050206
SHA1

78bebe22816e3fb380cbf0caa11776ff4b120686
SHA256

9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22
SHA512

d47fb2a4c2627a1212ff7db3fb443e1b0739a561a82e588c3aff21a2db591ae1cddc2186c4915e180fcb8fc965e42fba3feeb5135d90388fe35a47f35403199e
SSDEEP

24576:umoO8itnTaZsZfZ8ARL28WcVNGAQnmMCL+tMEekEoKwsbovX:FleZsZfj2tcKALZm5ekEoKpkf

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

wwwgooglecom.sytes.net:2222

Mutex

WindowsSystem

Attributes

gencode
ur8y65YHfD6n
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, rundll32.exe C:\\Users\\Admin\\YxxYdyYQjJrjvZi\\YxxYdyYQjJrjvZi.dll Run"	rundll32.exe

Loads dropped DLL 6 IoCs

pid	Process
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2660	2688	rundll32.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	rundll32.exe
2688	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1148	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2660	RegAsm.exe
Token: SeSecurityPrivilege	2660	RegAsm.exe
Token: SeTakeOwnershipPrivilege	2660	RegAsm.exe
Token: SeLoadDriverPrivilege	2660	RegAsm.exe
Token: SeSystemProfilePrivilege	2660	RegAsm.exe
Token: SeSystemtimePrivilege	2660	RegAsm.exe
Token: SeProfSingleProcessPrivilege	2660	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2660	RegAsm.exe
Token: SeCreatePagefilePrivilege	2660	RegAsm.exe
Token: SeBackupPrivilege	2660	RegAsm.exe
Token: SeRestorePrivilege	2660	RegAsm.exe
Token: SeShutdownPrivilege	2660	RegAsm.exe
Token: SeDebugPrivilege	2660	RegAsm.exe
Token: SeSystemEnvironmentPrivilege	2660	RegAsm.exe
Token: SeChangeNotifyPrivilege	2660	RegAsm.exe
Token: SeRemoteShutdownPrivilege	2660	RegAsm.exe
Token: SeUndockPrivilege	2660	RegAsm.exe
Token: SeManageVolumePrivilege	2660	RegAsm.exe
Token: SeImpersonatePrivilege	2660	RegAsm.exe
Token: SeCreateGlobalPrivilege	2660	RegAsm.exe
Token: 33	2660	RegAsm.exe
Token: 34	2660	RegAsm.exe
Token: 35	2660	RegAsm.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2660	RegAsm.exe
1148	AcroRd32.exe
1148	AcroRd32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2688	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	30
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2624 wrote to memory of 2740	2624	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	31
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 3024	2688	rundll32.exe	32
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2688 wrote to memory of 2660	2688	rundll32.exe	33
PID 2740 wrote to memory of 1148	2740	rundll32.exe	35
PID 2740 wrote to memory of 1148	2740	rundll32.exe	35
PID 2740 wrote to memory of 1148	2740	rundll32.exe	35
PID 2740 wrote to memory of 1148	2740	rundll32.exe	35

C:\Users\Admin\AppData\Local\Temp\9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
"C:\Users\Admin\AppData\Local\Temp\9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.dll Run
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:3024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\YxxYdyYQjJrjvZi\Adobe_Acrobat_Reader.iso.torrent
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\YxxYdyYQjJrjvZi\Adobe_Acrobat_Reader.iso.torrent"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5703921e1ced0c1012f381247d225d83

SHA1
72fe83bfdc7f5aa7f516aea5f22687987d169e97

SHA256
9f18f4a0b55f495c706dbff4df853db72c0b3d932a5623648e49a15b1c6bc119

SHA512
4e7aeace5cb5f8ba77d9633e0050364d9ff187a99fcdbcfae0ce5317fdc3e7fcbb05ef2fb394d7e16461dcf7f60d27ec5164704f50f26c57530eddb8e139ea2a

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\Adobe_Acrobat_Reader.iso.torrent

Filesize
27KB

MD5
8f7a9bbe57497bf7d14eef54a82db429

SHA1
31c8b1153bf71fbaab2ab9f4e217cae56ca85b42

SHA256
63dfbd090392608811252e3068513c0510726fc6220f7a3ccc9e776a40a2a85f

SHA512
600aaaf9c89f07a5bd80633644ecb47eaf5efa8488336738ee4e934d07ac2b93afd5a0bf258abe48fa21e88f93688ad043eadae21753394da2d1316c8a875b20

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi

Filesize
661KB

MD5
deffe3fe6f0542887a4a1c71db33061c

SHA1
12c2b538a2c14abbc489994c5f38fcc97869b2f4

SHA256
9feb47b8fcab0e0316b0405004bc778f2d37723b4fdd01bd43b02d3edf56f23b

SHA512
6c065dd8161644b9e3c6de3abeacdea0247dc4073f0c8026ccbcdac4affc297c32d924c4f6c3fb71dbcfd037f8e2d0edd42bbe28c5dcb9d5e51dafabf9f5ac83

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.dll

Filesize
47KB

MD5
eac27e10a0e5bcea94b35e7e1d952d22

SHA1
e0f32c04680dde525869a0bade537113c6dcbfdd

SHA256
e336ecfedd9f6ed91589aa7e6866289e0d4673e1fa10dde53bf6957da148da36

SHA512
b34d129ad6ab137edad8faac3bb4451aeec29d003dc83cb68c12e8cc19b73b9d6fa055766e5d54193d552e46cc858d7f498d70af04f6f8b5b9e9330aed7535db

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.lnk

Filesize
804B

MD5
181e68d7417cc5005be1eb887a661538

SHA1
65e6bfd1b88a968bbec2a69832e7b987370effde

SHA256
fd61bf74397e8cb04d1810df6da6faebd1ad26630ddffd66d2df6d7acc5deac3

SHA512
c577aedf38e850aacdb83d6e59ff13b5b973bb13a7273e38374d51b2c4a06ad65298375ad3190a4472d34dcc02d400e8f07685c5744c74c94d808ecd8b1e35aa

Download Submit
memory/2660-33-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-34-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-22-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-40-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-38-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-37-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-30-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-28-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-26-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-41-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-42-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2660-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download