darkcomet | 9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22

General

Target

9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
Size

1.1MB
MD5

971e273f808bae7da52ad62dbb050206
SHA1

78bebe22816e3fb380cbf0caa11776ff4b120686
SHA256

9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22
SHA512

d47fb2a4c2627a1212ff7db3fb443e1b0739a561a82e588c3aff21a2db591ae1cddc2186c4915e180fcb8fc965e42fba3feeb5135d90388fe35a47f35403199e
SSDEEP

24576:umoO8itnTaZsZfZ8ARL28WcVNGAQnmMCL+tMEekEoKwsbovX:FleZsZfj2tcKALZm5ekEoKpkf

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

wwwgooglecom.sytes.net:2222

Mutex

WindowsSystem

Attributes

gencode
ur8y65YHfD6n
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, rundll32.exe C:\\Users\\Admin\\YxxYdyYQjJrjvZi\\YxxYdyYQjJrjvZi.dll Run"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe

Loads dropped DLL 3 IoCs

pid	Process
1848	rundll32.exe
1848	rundll32.exe
1848	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 3136	1848	rundll32.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	rundll32.exe
1848	rundll32.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	rundll32.exe
Token: SeIncreaseQuotaPrivilege	3136	RegAsm.exe
Token: SeSecurityPrivilege	3136	RegAsm.exe
Token: SeTakeOwnershipPrivilege	3136	RegAsm.exe
Token: SeLoadDriverPrivilege	3136	RegAsm.exe
Token: SeSystemProfilePrivilege	3136	RegAsm.exe
Token: SeSystemtimePrivilege	3136	RegAsm.exe
Token: SeProfSingleProcessPrivilege	3136	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3136	RegAsm.exe
Token: SeCreatePagefilePrivilege	3136	RegAsm.exe
Token: SeBackupPrivilege	3136	RegAsm.exe
Token: SeRestorePrivilege	3136	RegAsm.exe
Token: SeShutdownPrivilege	3136	RegAsm.exe
Token: SeDebugPrivilege	3136	RegAsm.exe
Token: SeSystemEnvironmentPrivilege	3136	RegAsm.exe
Token: SeChangeNotifyPrivilege	3136	RegAsm.exe
Token: SeRemoteShutdownPrivilege	3136	RegAsm.exe
Token: SeUndockPrivilege	3136	RegAsm.exe
Token: SeManageVolumePrivilege	3136	RegAsm.exe
Token: SeImpersonatePrivilege	3136	RegAsm.exe
Token: SeCreateGlobalPrivilege	3136	RegAsm.exe
Token: 33	3136	RegAsm.exe
Token: 34	3136	RegAsm.exe
Token: 35	3136	RegAsm.exe
Token: 36	3136	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4092	OpenWith.exe
3136	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 1848	3160	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	86
PID 3160 wrote to memory of 1848	3160	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	86
PID 3160 wrote to memory of 1848	3160	9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe	86
PID 1848 wrote to memory of 1984	1848	rundll32.exe	88
PID 1848 wrote to memory of 1984	1848	rundll32.exe	88
PID 1848 wrote to memory of 1984	1848	rundll32.exe	88
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89
PID 1848 wrote to memory of 3136	1848	rundll32.exe	89

C:\Users\Admin\AppData\Local\Temp\9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe
"C:\Users\Admin\AppData\Local\Temp\9fdbd2a7d21d38f8a1f2992d5a911d11670d745beb3b495153529818ec116e22.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.dll Run
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:1984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\YxxYdyYQjJrjvZi\Adobe_Acrobat_Reader.iso.torrent

Filesize
27KB

MD5
8f7a9bbe57497bf7d14eef54a82db429

SHA1
31c8b1153bf71fbaab2ab9f4e217cae56ca85b42

SHA256
63dfbd090392608811252e3068513c0510726fc6220f7a3ccc9e776a40a2a85f

SHA512
600aaaf9c89f07a5bd80633644ecb47eaf5efa8488336738ee4e934d07ac2b93afd5a0bf258abe48fa21e88f93688ad043eadae21753394da2d1316c8a875b20

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi

Filesize
661KB

MD5
deffe3fe6f0542887a4a1c71db33061c

SHA1
12c2b538a2c14abbc489994c5f38fcc97869b2f4

SHA256
9feb47b8fcab0e0316b0405004bc778f2d37723b4fdd01bd43b02d3edf56f23b

SHA512
6c065dd8161644b9e3c6de3abeacdea0247dc4073f0c8026ccbcdac4affc297c32d924c4f6c3fb71dbcfd037f8e2d0edd42bbe28c5dcb9d5e51dafabf9f5ac83

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.dll

Filesize
47KB

MD5
eac27e10a0e5bcea94b35e7e1d952d22

SHA1
e0f32c04680dde525869a0bade537113c6dcbfdd

SHA256
e336ecfedd9f6ed91589aa7e6866289e0d4673e1fa10dde53bf6957da148da36

SHA512
b34d129ad6ab137edad8faac3bb4451aeec29d003dc83cb68c12e8cc19b73b9d6fa055766e5d54193d552e46cc858d7f498d70af04f6f8b5b9e9330aed7535db

Download Submit
C:\Users\Admin\YxxYdyYQjJrjvZi\YxxYdyYQjJrjvZi.lnk

Filesize
804B

MD5
181e68d7417cc5005be1eb887a661538

SHA1
65e6bfd1b88a968bbec2a69832e7b987370effde

SHA256
fd61bf74397e8cb04d1810df6da6faebd1ad26630ddffd66d2df6d7acc5deac3

SHA512
c577aedf38e850aacdb83d6e59ff13b5b973bb13a7273e38374d51b2c4a06ad65298375ad3190a4472d34dcc02d400e8f07685c5744c74c94d808ecd8b1e35aa

Download Submit
memory/1848-13-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3136-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3136-21-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3136-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3136-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/3136-24-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads