darkcomet | 81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a

General

Target

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Size

1.5MB
MD5

0bdb26ca33bd21c9426be99b13227817
SHA1

c1db7ee7509179c95ba1fe81c1f438995b6d7dcb
SHA256

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a
SHA512

a9260ac1f768db12f49aadfc719ea4bf6a71131f6a8e4da8d54be99ab429ce1ba2b660db965b7fac0c4ca32e33c575b15ae7fbe2e4699eb1bf08e1a9cf726ed8

Score

10^/10

darkcomet newport1 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

NEWPORT1

C2

austin.mlbfan.org:2220

Mutex

DC_MUTEX-T6TM293

Attributes

gencode
gutLHsPCWP68
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/540-136-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-141-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/540-142-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

description	pid	process	target process
PID 1068 set thread context of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeSecurityPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeTakeOwnershipPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeLoadDriverPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeSystemProfilePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeSystemtimePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeProfSingleProcessPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeIncBasePriorityPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeCreatePagefilePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeBackupPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeRestorePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeShutdownPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeDebugPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeSystemEnvironmentPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeChangeNotifyPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeRemoteShutdownPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeUndockPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeManageVolumePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeImpersonatePrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: SeCreateGlobalPrivilege	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: 33	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: 34	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: 35	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
Token: 36	540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

pid	process
1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
540	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

description	pid	process	target process
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
PID 1068 wrote to memory of 540	1068	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe	81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe

C:\Users\Admin\AppData\Local\Temp\81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
"C:\Users\Admin\AppData\Local\Temp\81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe
"C:\Users\Admin\AppData\Local\Temp\81be337ebb002a63ff0fff2c30060d91d9b07998e39b740a2763ab5d5cec831a.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-135-0x0000000000000000-mapping.dmp

Download
memory/540-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-141-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/540-142-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1068-134-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads