darkcomet | dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b

General

Target

dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
Size

975KB
MD5

599d467764f284582ec10a55362a9ae7
SHA1

6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e
SHA256

dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b
SHA512

b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42

Score

10^/10

darkcomet imagesz rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

IMAGESZ

C2

manymoney-70.no-ip.org:82

Mutex

DC_MUTEX-9MB7QNH

Attributes

gencode
xUDwyyxhTSgj
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

detect.exedetect.exe

pid process

1412 detect.exe
328 detect.exe

pid	process
1412	detect.exe
328	detect.exe

Drops startup file 1 IoCs

Processes:

dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe

Loads dropped DLL 1 IoCs

Processes:

dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe

pid process

1356 dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

detect.exe

description pid process target process

PID 1412 set thread context of 328 1412 detect.exe detect.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

detect.exe

pid process

1412 detect.exe
1412 detect.exe

pid	process
1356	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe

description	pid	process	target process
PID 1412 set thread context of 328	1412	detect.exe	detect.exe

pid	process
1412	detect.exe
1412	detect.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

detect.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	328	detect.exe
Token: SeSecurityPrivilege	328	detect.exe
Token: SeTakeOwnershipPrivilege	328	detect.exe
Token: SeLoadDriverPrivilege	328	detect.exe
Token: SeSystemProfilePrivilege	328	detect.exe
Token: SeSystemtimePrivilege	328	detect.exe
Token: SeProfSingleProcessPrivilege	328	detect.exe
Token: SeIncBasePriorityPrivilege	328	detect.exe
Token: SeCreatePagefilePrivilege	328	detect.exe
Token: SeBackupPrivilege	328	detect.exe
Token: SeRestorePrivilege	328	detect.exe
Token: SeShutdownPrivilege	328	detect.exe
Token: SeDebugPrivilege	328	detect.exe
Token: SeSystemEnvironmentPrivilege	328	detect.exe
Token: SeChangeNotifyPrivilege	328	detect.exe
Token: SeRemoteShutdownPrivilege	328	detect.exe
Token: SeUndockPrivilege	328	detect.exe
Token: SeManageVolumePrivilege	328	detect.exe
Token: SeImpersonatePrivilege	328	detect.exe
Token: SeCreateGlobalPrivilege	328	detect.exe
Token: 33	328	detect.exe
Token: 34	328	detect.exe
Token: 35	328	detect.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

detect.exe

pid process

328 detect.exe

pid	process
328	detect.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exedetect.exe

description	pid	process	target process
PID 1356 wrote to memory of 1412	1356	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe	detect.exe
PID 1356 wrote to memory of 1412	1356	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe	detect.exe
PID 1356 wrote to memory of 1412	1356	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe	detect.exe
PID 1356 wrote to memory of 1412	1356	dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe	detect.exe
PID 1412 wrote to memory of 328	1412	detect.exe	detect.exe
PID 1412 wrote to memory of 328	1412	detect.exe	detect.exe
PID 1412 wrote to memory of 328	1412	detect.exe	detect.exe
PID 1412 wrote to memory of 328	1412	detect.exe	detect.exe

C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe
"C:\Users\Admin\AppData\Local\Temp\dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
MD5
599d467764f284582ec10a55362a9ae7

SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e

SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b

SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42

Download Submit
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
MD5
599d467764f284582ec10a55362a9ae7

SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e

SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b

SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42

Download Submit
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
MD5
599d467764f284582ec10a55362a9ae7

SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e

SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b

SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42

Download Submit
\Users\Admin\AppData\Roaming\ID Detector\detect.exe
MD5
599d467764f284582ec10a55362a9ae7

SHA1
6b2ad378d36c7f17183a5a4f9d660ff580e4cd8e

SHA256
dcfca45249d204785212dad0e770bc65244b6392f2b94e1e03f4272c4bbc0a6b

SHA512
b60fcd50148e119a18711dda0b233b8dca9168d908ab4bbdb21bf2de5a2ec5f5629ed0210314725cf1f43fcb960b151899a45acb8e95f63cb40daf0d06fc3b42

Download Submit
memory/328-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-4-0x000000000048F888-mapping.dmp

Download
memory/328-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1412-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads