darkcomet | 492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3

General

Target

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Size

276KB
MD5

a3429a9d44f94019d94339631a2a2c39
SHA1

3b63dbf0a6f044c1cb728b79c15c784d6a107f09
SHA256

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3
SHA512

d1ae73c9a78cb569ec6ab76ae8b6f941aa441dbbe9d821c690ea3e369d093c2655aa78a9cdd736df9b5ead8f1c962f64d4cad5ffccfabffa3eac6d7e3f04af7a

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-2TRH0QQ

Attributes

gencode
fYebg7ya0k9F
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 3 IoCs

Processes:

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exeiexplore.exe

description	pid	process	target process
PID 2844 set thread context of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2840 set thread context of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 3108 set thread context of 396	3108	iexplore.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeSecurityPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeTakeOwnershipPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeLoadDriverPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeSystemProfilePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeSystemtimePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeProfSingleProcessPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeIncBasePriorityPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeCreatePagefilePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeBackupPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeRestorePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeShutdownPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeDebugPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeSystemEnvironmentPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeChangeNotifyPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeRemoteShutdownPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeUndockPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeManageVolumePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeImpersonatePrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeCreateGlobalPrivilege	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: 33	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: 34	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: 35	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: 36	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
Token: SeIncreaseQuotaPrivilege	396	iexplore.exe
Token: SeSecurityPrivilege	396	iexplore.exe
Token: SeTakeOwnershipPrivilege	396	iexplore.exe
Token: SeLoadDriverPrivilege	396	iexplore.exe
Token: SeSystemProfilePrivilege	396	iexplore.exe
Token: SeSystemtimePrivilege	396	iexplore.exe
Token: SeProfSingleProcessPrivilege	396	iexplore.exe
Token: SeIncBasePriorityPrivilege	396	iexplore.exe
Token: SeCreatePagefilePrivilege	396	iexplore.exe
Token: SeBackupPrivilege	396	iexplore.exe
Token: SeRestorePrivilege	396	iexplore.exe
Token: SeShutdownPrivilege	396	iexplore.exe
Token: SeDebugPrivilege	396	iexplore.exe
Token: SeSystemEnvironmentPrivilege	396	iexplore.exe
Token: SeChangeNotifyPrivilege	396	iexplore.exe
Token: SeRemoteShutdownPrivilege	396	iexplore.exe
Token: SeUndockPrivilege	396	iexplore.exe
Token: SeManageVolumePrivilege	396	iexplore.exe
Token: SeImpersonatePrivilege	396	iexplore.exe
Token: SeCreateGlobalPrivilege	396	iexplore.exe
Token: 33	396	iexplore.exe
Token: 34	396	iexplore.exe
Token: 35	396	iexplore.exe
Token: 36	396	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exeiexplore.exeiexplore.exe

pid process

2844 492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
3108 iexplore.exe
396 iexplore.exe

pid	process
2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
3108	iexplore.exe
396	iexplore.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exeiexplore.exe

description	pid	process	target process
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2844 wrote to memory of 2840	2844	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
PID 2840 wrote to memory of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 2840 wrote to memory of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 2840 wrote to memory of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 2840 wrote to memory of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 2840 wrote to memory of 3108	2840	492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe
PID 3108 wrote to memory of 396	3108	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
"C:\Users\Admin\AppData\Local\Temp\492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
C:\Users\Admin\AppData\Local\Temp\492c4e86ab5eed732e29f109cb48dbef64ca7471cd2e6ab61e01f879397576e3.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-136-0x0000000000000000-mapping.dmp

Download
memory/2840-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2840-147-0x0000000002210000-0x0000000002213000-memory.dmp

Filesize
12KB

Download
memory/2844-131-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2844-132-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2844-135-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2844-139-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2844-141-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2844-130-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads