darkcomet | fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6

Analysis

max time kernel
8s
max time network
24s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
Size

1.5MB
MD5

f82031ee1e40e4341bfde851b1cb4c4f
SHA1

916547b801d7b930cf98f8ad723aee5384e32623
SHA256

fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6
SHA512

57ec4eed21adf2564ec617766b045a97d5d8797bb97525c20239f15344327f7f07970903c6dbde2679e962efa1ed91137a714a76023c0999979dc1b9254aaaac

Score

10^/10

darkcomet runescape rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/324-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/324-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/324-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/960-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-101-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/960-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

description	pid	process	target process
PID 1320 set thread context of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 set thread context of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe
756	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exesvchost.exefddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

pid	process
1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
756	svchost.exe
324	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

description	pid	process	target process
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 756	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	svchost.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
PID 1320 wrote to memory of 324	1320	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe	fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe

C:\Users\Admin\AppData\Local\Temp\fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
"C:\Users\Admin\AppData\Local\Temp\fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:756

C:\Users\Admin\AppData\Local\Temp\fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe
"C:\Users\Admin\AppData\Local\Temp\fddb7d6120715aad3f0661513fd2c868b14a71b25009de9c8cbeefc1fa36abc6.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BPXPD.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e3abe77765c324ccd59392ffd46f76b2

SHA1
41b02e82a6c6807bdd5095fddc65fb0a007a590b

SHA256
a7a59a1306eae83d2195b1be6a8fa0ead45f89c2d206440ad1827e2cfd3bf4a1

SHA512
de15e1053191ddd9aaed829461affd9dfbd13a73cff4d47d6124721f7ca7153faeb8eb8c610f9ef7c70d872f6b76c325811362cc0b479cbb102b0a0f15e3bb88

Download Submit
memory/324-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/324-35-0x00000000004085D0-mapping.dmp

Download
memory/324-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/324-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/756-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/756-32-0x000000000040B000-mapping.dmp

Download
memory/756-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/756-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/896-90-0x00000000004085D0-mapping.dmp

Download
memory/960-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-98-0x00000000004B5210-mapping.dmp

Download
memory/960-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/960-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1292-45-0x0000000000000000-mapping.dmp

Download
memory/1320-25-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-30-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-28-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-29-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-26-0x0000000000728000-0x0000000000729000-memory.dmp

Filesize
4KB

Download
memory/1320-27-0x0000000000728000-0x0000000000729000-memory.dmp

Filesize
4KB

Download
memory/1320-3-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-24-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-23-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-2-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-22-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-8-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-9-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-19-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-10-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-4-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-11-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-12-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-13-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-6-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-5-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-7-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-18-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-17-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1320-16-0x0000000000726000-0x0000000000727000-memory.dmp

Filesize
4KB

Download
memory/1576-65-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-80-0x00000000006D8000-0x00000000006D9000-memory.dmp

Filesize
4KB

Download
memory/1576-61-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-66-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-64-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-63-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-69-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-70-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-71-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-72-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-75-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-76-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-77-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-78-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-79-0x00000000006D8000-0x00000000006D9000-memory.dmp

Filesize
4KB

Download
memory/1576-62-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-81-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-83-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-82-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-51-0x0000000000000000-mapping.dmp

Download
memory/1576-60-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-59-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-55-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-58-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-57-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1576-56-0x00000000006D6000-0x00000000006D7000-memory.dmp

Filesize
4KB

Download
memory/1768-43-0x0000000000000000-mapping.dmp

Download
memory/1800-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1800-85-0x000000000040B000-mapping.dmp

Download
memory/1800-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download