darkcomet | 49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94

General

Target

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
Size

544KB
MD5

8ebb4c054d2872a208baba4f2d6d4c35
SHA1

8c3c349de7b8a251a415634892081e192d3897ab
SHA256

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94
SHA512

3cc09d2e2e71ec1042e2a5e9480566dacf28ad251f6b102f3d4c05825060de83f859ef01d5362906cb12cbde0f261f0bfe0e81e0062a1105289e682d3ff54236

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

aca33.no-ip.biz:1088

Mutex

DC_MUTEX-JCDE4M2

Attributes

gencode
82Yjkqrl1Z2U
install
false
offline_keylogger
true
password
penis3311
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1500 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

pid process

1800 49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

pid	process
1500	svchost.exe

pid	process
1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

description	pid	process	target process
PID 1800 set thread context of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

pid process

1800 49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

pid	process
1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
Token: SeIncreaseQuotaPrivilege	1500	svchost.exe
Token: SeSecurityPrivilege	1500	svchost.exe
Token: SeTakeOwnershipPrivilege	1500	svchost.exe
Token: SeLoadDriverPrivilege	1500	svchost.exe
Token: SeSystemProfilePrivilege	1500	svchost.exe
Token: SeSystemtimePrivilege	1500	svchost.exe
Token: SeProfSingleProcessPrivilege	1500	svchost.exe
Token: SeIncBasePriorityPrivilege	1500	svchost.exe
Token: SeCreatePagefilePrivilege	1500	svchost.exe
Token: SeBackupPrivilege	1500	svchost.exe
Token: SeRestorePrivilege	1500	svchost.exe
Token: SeShutdownPrivilege	1500	svchost.exe
Token: SeDebugPrivilege	1500	svchost.exe
Token: SeSystemEnvironmentPrivilege	1500	svchost.exe
Token: SeChangeNotifyPrivilege	1500	svchost.exe
Token: SeRemoteShutdownPrivilege	1500	svchost.exe
Token: SeUndockPrivilege	1500	svchost.exe
Token: SeManageVolumePrivilege	1500	svchost.exe
Token: SeImpersonatePrivilege	1500	svchost.exe
Token: SeCreateGlobalPrivilege	1500	svchost.exe
Token: 33	1500	svchost.exe
Token: 34	1500	svchost.exe
Token: 35	1500	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1500 svchost.exe

pid	process
1500	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exesvchost.exe

description	pid	process	target process
PID 1800 wrote to memory of 948	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 1800 wrote to memory of 948	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 1800 wrote to memory of 948	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 1800 wrote to memory of 948	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1800 wrote to memory of 1500	1800	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe
PID 1500 wrote to memory of 268	1500	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
"C:\Users\Admin\AppData\Local\Temp\49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc.vbs
Filesize
368B

MD5
4d484d8c8b267638ff93e5d47323f010

SHA1
5d1af0d07fd60e659d23d05a73934bd79e8eb342

SHA256
2a6de7dd75db60b65edf3219a27cf182f572caac0d71ef7bd5e841b06b2df5af

SHA512
8c9db7c749aa309e094e26c1ed1f0a7b071fbf63dfef8197c5d45694ee2f59bb50643bfa46fa6102e2268d175ac41d3f121c783464b86294de4639736f1d8b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/268-68-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/1500-60-0x000000000048F888-mapping.dmp

Download
memory/1500-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1800-54-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1800-63-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-55-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads