darkcomet | bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb

General

Target

74556POZ_pdf.exe
Size

749KB
MD5

8c783ee344384ce8f3282675e961c3c0
SHA1

eb699861cb2ec0fdc2fb736c6f4eba93133f2100
SHA256

bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb
SHA512

ed6ab8e3d8cc3a6cbbadd944d59f8112d9bb4fba2c73d9d476be4e2a9ab929e4836626e113efb72d184b275ea5c8653494fe6e8834571f0bd89f24b83d913aec

Score

10^/10

darkcomet good news rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Good News

C2

boki.zapto.org:1905

Mutex

DCMIN_MUTEX-ZAT3FJZ

Attributes

gencode
BrxJcaQU7jzd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2560-2-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2560-4-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2560-5-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

74556POZ_pdf.exe

description pid process target process

PID 3976 set thread context of 2560 3976 74556POZ_pdf.exe 74556POZ_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2332 schtasks.exe

description	pid	process	target process
PID 3976 set thread context of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe

pid	process
2332	schtasks.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

74556POZ_pdf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2560	74556POZ_pdf.exe
Token: SeSecurityPrivilege	2560	74556POZ_pdf.exe
Token: SeTakeOwnershipPrivilege	2560	74556POZ_pdf.exe
Token: SeLoadDriverPrivilege	2560	74556POZ_pdf.exe
Token: SeSystemProfilePrivilege	2560	74556POZ_pdf.exe
Token: SeSystemtimePrivilege	2560	74556POZ_pdf.exe
Token: SeProfSingleProcessPrivilege	2560	74556POZ_pdf.exe
Token: SeIncBasePriorityPrivilege	2560	74556POZ_pdf.exe
Token: SeCreatePagefilePrivilege	2560	74556POZ_pdf.exe
Token: SeBackupPrivilege	2560	74556POZ_pdf.exe
Token: SeRestorePrivilege	2560	74556POZ_pdf.exe
Token: SeShutdownPrivilege	2560	74556POZ_pdf.exe
Token: SeDebugPrivilege	2560	74556POZ_pdf.exe
Token: SeSystemEnvironmentPrivilege	2560	74556POZ_pdf.exe
Token: SeChangeNotifyPrivilege	2560	74556POZ_pdf.exe
Token: SeRemoteShutdownPrivilege	2560	74556POZ_pdf.exe
Token: SeUndockPrivilege	2560	74556POZ_pdf.exe
Token: SeManageVolumePrivilege	2560	74556POZ_pdf.exe
Token: SeImpersonatePrivilege	2560	74556POZ_pdf.exe
Token: SeCreateGlobalPrivilege	2560	74556POZ_pdf.exe
Token: 33	2560	74556POZ_pdf.exe
Token: 34	2560	74556POZ_pdf.exe
Token: 35	2560	74556POZ_pdf.exe
Token: 36	2560	74556POZ_pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

74556POZ_pdf.exe

pid process

2560 74556POZ_pdf.exe

pid	process
2560	74556POZ_pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

74556POZ_pdf.exe

description	pid	process	target process
PID 3976 wrote to memory of 2332	3976	74556POZ_pdf.exe	schtasks.exe
PID 3976 wrote to memory of 2332	3976	74556POZ_pdf.exe	schtasks.exe
PID 3976 wrote to memory of 2332	3976	74556POZ_pdf.exe	schtasks.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe
PID 3976 wrote to memory of 2560	3976	74556POZ_pdf.exe	74556POZ_pdf.exe

C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\igDEjuKnNuUIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DB8.tmp"
2⤵
- Creates scheduled task(s)
PID:2332

C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4DB8.tmp
MD5
dfc81f75ca0a2ea3ad5a9d5f04fc2eb0

SHA1
3cbe69b25a95af40e56d49fb0a8af1aa37deab2b

SHA256
a2e2d57d39054b6105e5812620f2b83982df7613f070463970cae66283824401

SHA512
14b1cff62ea19306fe8d514efab145848d11a6e26f538c73543aac5a76c9d868aa0414ba88b818b9052db8da53fde0fe63199466579548bd97f82ab8cf7fed73

Download Submit
memory/2332-0-0x0000000000000000-mapping.dmp

Download
memory/2560-2-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2560-3-0x00000000004B5000-mapping.dmp

Download
memory/2560-4-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2560-5-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads