darkcomet | 05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb

Analysis

max time kernel
4s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
Size

1.5MB
MD5

7850f2d801d0b3098635ac4fb5c13f44
SHA1

d3fceea6dbfff15d1b56e0b4f50c2f09d6768d28
SHA256

05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb
SHA512

5347b22ce57359fac0a7ccee84407403467120e5f2158cc236798617651ea5e3f8bc9c564391de47022f9e96626d89ff172b295a0614c11351926c2c8267de1b

Score

10^/10

darkcomet runescape rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/396-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/396-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/396-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1332-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1332-100-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1332-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

description	pid	process	target process
PID 1096 set thread context of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 set thread context of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe
604	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exesvchost.exe05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

pid	process
1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
604	svchost.exe
396	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

description	pid	process	target process
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 604	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	svchost.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
PID 1096 wrote to memory of 396	1096	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe	05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe

C:\Users\Admin\AppData\Local\Temp\05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
"C:\Users\Admin\AppData\Local\Temp\05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:604

C:\Users\Admin\AppData\Local\Temp\05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe
"C:\Users\Admin\AppData\Local\Temp\05be3efe39ee1452a29d47648ec7babbd522df92abf484ac915915214f18eddb.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KPBDG.bat

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

MD5
4a26c1166e68b912ffa4551ba79b4094

SHA1
3214c6801dfdf514b26f634da234ea37c7f31f23

SHA256
1db4aa8908126ff2655d283c0e4b70569808218bb10f531faa51b5b1b066f197

SHA512
da248390d67e6dc69a47621d26afba561fdf6188a10fe652dc127306271c6be252d16fa41307ceaaf1565709cfabab1e6f8c040e37e4052a47cf325808ba3bbb

Download Submit
memory/396-37-0x00000000004085D0-mapping.dmp

Download
memory/396-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/396-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/396-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/600-43-0x0000000000000000-mapping.dmp

Download
memory/604-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/604-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/604-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/604-32-0x000000000040B000-mapping.dmp

Download
memory/980-45-0x0000000000000000-mapping.dmp

Download
memory/1096-18-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-11-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-29-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-28-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-30-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-27-0x0000000000618000-0x0000000000619000-memory.dmp

Filesize
4KB

Download
memory/1096-4-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-22-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-23-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-24-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-25-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-19-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-17-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-16-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-10-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-26-0x0000000000618000-0x0000000000619000-memory.dmp

Filesize
4KB

Download
memory/1096-13-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-12-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-5-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-9-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-8-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-7-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-6-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-2-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x0000000000616000-0x0000000000617000-memory.dmp

Filesize
4KB

Download
memory/1332-97-0x00000000004B5210-mapping.dmp

Download
memory/1332-100-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1332-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1332-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1500-62-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-81-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-65-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-64-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-66-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-56-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-69-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-71-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-72-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-70-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-75-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-76-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-78-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-79-0x0000000000298000-0x0000000000299000-memory.dmp

Filesize
4KB

Download
memory/1500-80-0x0000000000298000-0x0000000000299000-memory.dmp

Filesize
4KB

Download
memory/1500-63-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-82-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-83-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-77-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-51-0x0000000000000000-mapping.dmp

Download
memory/1500-55-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-61-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-57-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-60-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-59-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1500-58-0x0000000000296000-0x0000000000297000-memory.dmp

Filesize
4KB

Download
memory/1600-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1600-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1600-85-0x000000000040B000-mapping.dmp

Download
memory/1604-90-0x00000000004085D0-mapping.dmp

Download