darkcomet | 4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596

General

Target

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Size

917KB
MD5

172580d9a126a781cc2aa5cc8a22ad21
SHA1

577bb13437762cd8a1b58991e352043d32f83dc5
SHA256

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596
SHA512

f00c3900e9938c438981f5ae47dc9623fb0088b41f8353f3572e2da3f5c4d7d7eb074a0cd7d0e3c6b9c4c1185b6205c54fd9ffedc2219db202ea44f38f922bcf

Score

10^/10

darkcomet may20 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

May20

C2

boki.zapto.org:1905

Mutex

DCMIN_MUTEX-6VJYRTE

Attributes

gencode
WjEU51BQp8qK
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

description	pid	process	target process
PID 412 set thread context of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1020 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

pid process

412 4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

pid	process
1020	schtasks.exe

pid	process
412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

description	pid	process
Token: SeDebugPrivilege	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeIncreaseQuotaPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeSecurityPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeTakeOwnershipPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeLoadDriverPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeSystemProfilePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeSystemtimePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeProfSingleProcessPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeIncBasePriorityPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeCreatePagefilePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeBackupPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeRestorePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeShutdownPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeDebugPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeSystemEnvironmentPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeChangeNotifyPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeRemoteShutdownPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeUndockPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeManageVolumePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeImpersonatePrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: SeCreateGlobalPrivilege	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: 33	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: 34	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: 35	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
Token: 36	3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

pid process

3588 4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

pid	process
3588	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BvFpflchD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5039.tmp"
2⤵
- Creates scheduled task(s)
PID:1020

C:\Users\Admin\AppData\Local\Temp\4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5039.tmp
MD5
07f41a6fdde3103c2d7ea8656ea3e242

SHA1
6f3537ffbe795d8017c539e31e1295982981e5ec

SHA256
0ad332e8275bf3c8fbdb0df631cc97ab880b3e1531ff61f32702bca0482bd031

SHA512
a396001b6b9de3a2d6d48677cc7182134f8e551e616de5b44e2a939806d0df284e9dc7621432a733b0ae0babfdd0aea051f2b6b7ee918e5f6b5880c51164a6dd

Download Submit
memory/1020-2-0x0000000000000000-mapping.dmp

Download
memory/3588-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3588-5-0x000000000048F888-mapping.dmp

Download
memory/3588-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

description	pid	process	target process
PID 412 wrote to memory of 1020	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 412 wrote to memory of 1020	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 412 wrote to memory of 1020	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	schtasks.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe
PID 412 wrote to memory of 3588	412	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe	4af88f5467e746369b32d26fbd469e25c3867b138d9ac3126c6874f642590596.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads