darkcomet | 1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d

Analysis

max time kernel
5s
max time network
20s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
Size

1.5MB
MD5

f698d9599a22fa3e124d701f980e7e03
SHA1

0e427b8f1bc24adfe0f7987f3dcc3114b5d42db2
SHA256

1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d
SHA512

af872f3d3373f94e05626a20e4e24128b8d7eb243135ba07b9ffd7487c2d627c1bd03c40c0dccedca3c8ceda15d5622f3da82c4840359660e39ae06608096e88

Score

10^/10

darkcomet runescape rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1700-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1700-38-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1700-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1680-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1680-101-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1680-102-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

description	pid	process	target process
PID 1032 set thread context of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 set thread context of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe
1584	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exesvchost.exe1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

pid	process
1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
1584	svchost.exe
1700	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

description	pid	process	target process
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1584	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	svchost.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
PID 1032 wrote to memory of 1700	1032	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe	1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe

C:\Users\Admin\AppData\Local\Temp\1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
"C:\Users\Admin\AppData\Local\Temp\1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe
"C:\Users\Admin\AppData\Local\Temp\1799808de09806324f588feb45dc4f5a60bb0dc558cf183395f93858f034e91d.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SUGKP.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
e361e24c442aa1b09d5e3ef2abd1ff1c

SHA1
15bb0b8d8409ffc0e7ff690caa6df11f8dfbf970

SHA256
59fb5f0e393e48920b3baa959ceea7b64812f2f0a2b13ed5568315b84d065192

SHA512
0b05befcab459b13a79f24415819b7e443725d82fd6f9fcee29a7de9de32f83383b9f95a13c3e29dce780de0b95c0deb99b419daebbe9cfa41e196c00acbfa22

Download Submit
memory/112-84-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/112-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/112-85-0x000000000040B000-mapping.dmp

Download
memory/816-71-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-78-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-83-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-82-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-81-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-80-0x0000000000638000-0x0000000000639000-memory.dmp

Filesize
4KB

Download
memory/816-79-0x0000000000638000-0x0000000000639000-memory.dmp

Filesize
4KB

Download
memory/816-77-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-76-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-75-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-72-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-70-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-69-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-66-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-65-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-64-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-63-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-62-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-61-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-60-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-59-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-58-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-57-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-56-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-55-0x0000000000636000-0x0000000000637000-memory.dmp

Filesize
4KB

Download
memory/816-51-0x0000000000000000-mapping.dmp

Download
memory/1004-43-0x0000000000000000-mapping.dmp

Download
memory/1032-7-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-9-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-8-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-13-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-16-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-28-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-17-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-12-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-2-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-29-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-6-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-5-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-11-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-26-0x00000000002D8000-0x00000000002D9000-memory.dmp

Filesize
4KB

Download
memory/1032-10-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-19-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-30-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-3-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-23-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-4-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-22-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-27-0x00000000002D8000-0x00000000002D9000-memory.dmp

Filesize
4KB

Download
memory/1032-18-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-24-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1032-25-0x00000000002D6000-0x00000000002D7000-memory.dmp

Filesize
4KB

Download
memory/1348-45-0x0000000000000000-mapping.dmp

Download
memory/1584-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1584-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1584-32-0x000000000040B000-mapping.dmp

Download
memory/1584-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1680-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1680-97-0x00000000004B5210-mapping.dmp

Download
memory/1680-101-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1680-102-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1700-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1700-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1700-36-0x00000000004085D0-mapping.dmp

Download
memory/1700-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1912-90-0x00000000004085D0-mapping.dmp

Download