darkcomet | 5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61

General

Target

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Size

288KB
MD5

a7bad7d93f16b3d325cf7d8935b9a7e0
SHA1

4e2b8b29b47c16fbea3d80e48f17922b519c4671
SHA256

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61
SHA512

5a4025a7a0e47a1d6147760207cbcd3ea8fecbc7947d326e34aa381ccd28173052e69766ebc8beb659816989822e8178255ecfb73eab0c7be6d4d18ed9df2afc

Score

10^/10

darkcomet öííé rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ÖÍíÉ

C2

yasserr.no-ip.biz:1600

Mutex

DC_MUTEX-L4W8GMZ

Attributes

gencode
YHXRle1HaV3y
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1140-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-59-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-60-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1140-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process	target process
PID 2024 set thread context of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 1140 set thread context of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1744 set thread context of 1264	1744	iexplore.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSecurityPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeTakeOwnershipPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeLoadDriverPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemProfilePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemtimePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeProfSingleProcessPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeIncBasePriorityPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeCreatePagefilePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeBackupPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeRestorePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeShutdownPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeDebugPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemEnvironmentPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeChangeNotifyPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeRemoteShutdownPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeUndockPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeManageVolumePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeImpersonatePrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeCreateGlobalPrivilege	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 33	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 34	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 35	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeIncreaseQuotaPrivilege	1264	iexplore.exe
Token: SeSecurityPrivilege	1264	iexplore.exe
Token: SeTakeOwnershipPrivilege	1264	iexplore.exe
Token: SeLoadDriverPrivilege	1264	iexplore.exe
Token: SeSystemProfilePrivilege	1264	iexplore.exe
Token: SeSystemtimePrivilege	1264	iexplore.exe
Token: SeProfSingleProcessPrivilege	1264	iexplore.exe
Token: SeIncBasePriorityPrivilege	1264	iexplore.exe
Token: SeCreatePagefilePrivilege	1264	iexplore.exe
Token: SeBackupPrivilege	1264	iexplore.exe
Token: SeRestorePrivilege	1264	iexplore.exe
Token: SeShutdownPrivilege	1264	iexplore.exe
Token: SeDebugPrivilege	1264	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1264	iexplore.exe
Token: SeChangeNotifyPrivilege	1264	iexplore.exe
Token: SeRemoteShutdownPrivilege	1264	iexplore.exe
Token: SeUndockPrivilege	1264	iexplore.exe
Token: SeManageVolumePrivilege	1264	iexplore.exe
Token: SeImpersonatePrivilege	1264	iexplore.exe
Token: SeCreateGlobalPrivilege	1264	iexplore.exe
Token: 33	1264	iexplore.exe
Token: 34	1264	iexplore.exe
Token: 35	1264	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exeiexplore.exe

pid process

2024 5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
1744 iexplore.exe
1264 iexplore.exe

pid	process
2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
1744	iexplore.exe
1264	iexplore.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process	target process
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2024 wrote to memory of 1140	2024	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1140 wrote to memory of 1744	1140	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe
PID 1744 wrote to memory of 1264	1744	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
"C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-66-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/1140-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-59-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-61-0x00000000004B3B40-mapping.dmp

Download
memory/1140-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1140-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2024-62-0x0000000000400000-0x000000000060E894-memory.dmp

Filesize
2.1MB

Download
memory/2024-64-0x0000000002DC0000-0x0000000002FCF000-memory.dmp

Filesize
2.1MB

Download
memory/2024-65-0x0000000000400000-0x000000000060E894-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads