darkcomet | 6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7

Analysis

max time kernel
5s
max time network
16s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
Size

1.5MB
MD5

126f5757d251196b27ca858ca09d4a0f
SHA1

b769b92f612f2cb9b3cee69bcfd60fae8a1909c1
SHA256

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7
SHA512

b74ba3f24d84ca23a83b0b07d51a9322486aba0497ee5682b45a661437125168eecec98f9a7ae57352cee647efb3ffd218f738fbaaef9cdb7cbda046edcde23d

Score

10^/10

darkcomet runescape rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1796-35-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1796-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1796-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/912-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/912-101-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/912-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

description	pid	process	target process
PID 1320 set thread context of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 set thread context of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe
1788	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exesvchost.exe6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

pid	process
1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
1788	svchost.exe
1796	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

description	pid	process	target process
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1788	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	svchost.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
PID 1320 wrote to memory of 1796	1320	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe	6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe

C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
"C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe
"C:\Users\Admin\AppData\Local\Temp\6a509f49d4ab35b9fc7ccc9df957ec64c1dc7f65e3a8f64c68b6a560adc9b6e7.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AFVWT.bat

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
d848b109b732273333bfff5ec575e326

SHA1
27b3b78ccac3a7af1e9fb7f4feef1451462cdbc3

SHA256
5a7d91dcf39b5c3ae317b3b8675e8e89874c9df9f3899ed3a74c7595c1d95b55

SHA512
aa4272f08d0c1f4076b4f7cbc81a68a80c83f4d9773db390b0815c493d7071d2ce2d326c5436c17f302edc76fa0665ad4c44613774042d8fe85591eaa9a76d55

Download Submit
memory/300-43-0x0000000000000000-mapping.dmp

Download
memory/744-45-0x0000000000000000-mapping.dmp

Download
memory/912-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/912-97-0x00000000004B5210-mapping.dmp

Download
memory/912-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/912-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-71-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-78-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-83-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-82-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-81-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-80-0x0000000000278000-0x0000000000279000-memory.dmp

Filesize
4KB

Download
memory/1000-79-0x0000000000278000-0x0000000000279000-memory.dmp

Filesize
4KB

Download
memory/1000-77-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-76-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-75-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-72-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-70-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-69-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-57-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-66-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-65-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-64-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-63-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-62-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-61-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-60-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-51-0x0000000000000000-mapping.dmp

Download
memory/1000-59-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-58-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-56-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1000-55-0x0000000000276000-0x0000000000277000-memory.dmp

Filesize
4KB

Download
memory/1320-6-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-17-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-9-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-18-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-7-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-16-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-13-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-23-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-11-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-3-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-4-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-5-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-19-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-22-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-12-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-2-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-25-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-24-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-28-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-29-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-10-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-30-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1320-26-0x0000000000678000-0x0000000000679000-memory.dmp

Filesize
4KB

Download
memory/1320-27-0x0000000000678000-0x0000000000679000-memory.dmp

Filesize
4KB

Download
memory/1320-8-0x0000000000676000-0x0000000000677000-memory.dmp

Filesize
4KB

Download
memory/1396-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1396-85-0x000000000040B000-mapping.dmp

Download
memory/1396-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1588-91-0x00000000004085D0-mapping.dmp

Download
memory/1788-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1788-32-0x000000000040B000-mapping.dmp

Download
memory/1788-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1788-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1796-36-0x00000000004085D0-mapping.dmp

Download
memory/1796-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1796-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1796-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download