darkcomet | daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1

Analysis

max time kernel
6s
max time network
36s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
Size

1.5MB
MD5

2b7f5490fba863e91bfa7d1043eaeebe
SHA1

e96c7b3494f178e82085f0ea8c093e3aaf61eb11
SHA256

daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1
SHA512

16a5e3224372a54363f84576ebd7abfef5196d89be2bb5f3afe326d6d85ab665c899cd64656ad6858ed2fc69c95f4ed377776a937cae10f9cd29e64a30833692

Score

10^/10

darkcomet runescape rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1128-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1128-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1128-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1772-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1772-101-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1772-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

description	pid	process	target process
PID 684 set thread context of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 set thread context of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe
1064	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exesvchost.exedaf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

pid	process
684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
1064	svchost.exe
1128	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

description	pid	process	target process
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1064	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	svchost.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
PID 684 wrote to memory of 1128	684	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe	daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe

C:\Users\Admin\AppData\Local\Temp\daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
"C:\Users\Admin\AppData\Local\Temp\daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe
"C:\Users\Admin\AppData\Local\Temp\daf9795cb3eb8ebf7ff2f451060b13f100de27119dc144e65edc290ec535e5d1.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QONRE.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
76ecfbb99220d75886ca7d01561d2b71

SHA1
2415a1769c7f024af900e17dd3212dc240f5b97b

SHA256
8bafd4e0113e531fe26d1390ec263b95ce7dd87de028a80088a3972c4acbe7ff

SHA512
ee7ac8fd77b805374ff8e1faac4d5e5233fc36bf73727659645fbc6ca14407f4b67e8cf8e2879e7637c9fa4097a114cb4c3d994afaf462e2454d399a14f5c76a

Download Submit
memory/684-25-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-28-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-16-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-17-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-18-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-19-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-22-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-24-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-23-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-3-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-27-0x0000000000688000-0x0000000000689000-memory.dmp

Filesize
4KB

Download
memory/684-26-0x0000000000688000-0x0000000000689000-memory.dmp

Filesize
4KB

Download
memory/684-29-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-10-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-30-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-2-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-4-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-6-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-13-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-7-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-5-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-9-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-8-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-12-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/684-11-0x0000000000686000-0x0000000000687000-memory.dmp

Filesize
4KB

Download
memory/752-45-0x0000000000000000-mapping.dmp

Download
memory/824-43-0x0000000000000000-mapping.dmp

Download
memory/956-78-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-72-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-80-0x0000000000668000-0x0000000000669000-memory.dmp

Filesize
4KB

Download
memory/956-83-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-82-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-81-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-55-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-56-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-57-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-58-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-59-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-60-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-61-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-62-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-63-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-64-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-65-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-66-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-69-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-70-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-71-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-51-0x0000000000000000-mapping.dmp

Download
memory/956-75-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-76-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-77-0x0000000000666000-0x0000000000667000-memory.dmp

Filesize
4KB

Download
memory/956-79-0x0000000000668000-0x0000000000669000-memory.dmp

Filesize
4KB

Download
memory/1064-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1064-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1064-32-0x000000000040B000-mapping.dmp

Download
memory/1064-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1128-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1128-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1128-38-0x00000000004085D0-mapping.dmp

Download
memory/1128-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1740-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1740-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1740-85-0x000000000040B000-mapping.dmp

Download
memory/1772-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1772-98-0x00000000004B5210-mapping.dmp

Download
memory/1772-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1772-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1792-90-0x00000000004085D0-mapping.dmp

Download