darkcomet | be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6

General

Target

be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Size

744KB
MD5

a019db3bbafc6c2b3e1e42b1f8dc21ae
SHA1

1a6a386444a67f48b25320831ccdb7437181c65f
SHA256

be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6
SHA512

c49422d469a0fc8c8689ac8193c64cdaf7e68bae1fef65ed30feb29fbc6d03484c1789e6f836cc016d4eb50f6e4ac595a80497ee74d2f6b0d44ce72b8fce2ca5

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeSecurityPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeTakeOwnershipPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeLoadDriverPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeSystemProfilePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeSystemtimePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeProfSingleProcessPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeIncBasePriorityPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeCreatePagefilePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeBackupPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeRestorePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeShutdownPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeDebugPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeSystemEnvironmentPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeChangeNotifyPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeRemoteShutdownPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeUndockPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeManageVolumePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeImpersonatePrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: SeCreateGlobalPrivilege	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: 33	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: 34	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: 35	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
Token: 36	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

pid process

4040 be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

pid	process
4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe

description	pid	process	target process
PID 4040 wrote to memory of 852	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe	iexplore.exe
PID 4040 wrote to memory of 852	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe	iexplore.exe
PID 4040 wrote to memory of 852	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe	iexplore.exe
PID 4040 wrote to memory of 996	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe	explorer.exe
PID 4040 wrote to memory of 996	4040	be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe
"C:\Users\Admin\AppData\Local\Temp\be3b1f4935d322fc7994d78ab9a9dcf7f5ec5e4001d1abaa534bd4d4ec322ad6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4040-114-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing