darkcomet | 5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61

General

Target

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Size

288KB
MD5

a7bad7d93f16b3d325cf7d8935b9a7e0
SHA1

4e2b8b29b47c16fbea3d80e48f17922b519c4671
SHA256

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61
SHA512

5a4025a7a0e47a1d6147760207cbcd3ea8fecbc7947d326e34aa381ccd28173052e69766ebc8beb659816989822e8178255ecfb73eab0c7be6d4d18ed9df2afc

Score

10^/10

darkcomet öííé rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ÖÍíÉ

C2

yasserr.no-ip.biz:1600

Mutex

DC_MUTEX-L4W8GMZ

Attributes

gencode
YHXRle1HaV3y
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2012-134-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-135-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-137-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-138-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-139-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-140-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/2012-141-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process	target process
PID 2788 set thread context of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2012 set thread context of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 3316 set thread context of 708	3316	iexplore.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSecurityPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeTakeOwnershipPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeLoadDriverPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemProfilePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemtimePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeProfSingleProcessPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeIncBasePriorityPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeCreatePagefilePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeBackupPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeRestorePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeShutdownPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeDebugPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeSystemEnvironmentPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeChangeNotifyPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeRemoteShutdownPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeUndockPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeManageVolumePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeImpersonatePrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeCreateGlobalPrivilege	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 33	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 34	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 35	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: 36	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
Token: SeIncreaseQuotaPrivilege	708	iexplore.exe
Token: SeSecurityPrivilege	708	iexplore.exe
Token: SeTakeOwnershipPrivilege	708	iexplore.exe
Token: SeLoadDriverPrivilege	708	iexplore.exe
Token: SeSystemProfilePrivilege	708	iexplore.exe
Token: SeSystemtimePrivilege	708	iexplore.exe
Token: SeProfSingleProcessPrivilege	708	iexplore.exe
Token: SeIncBasePriorityPrivilege	708	iexplore.exe
Token: SeCreatePagefilePrivilege	708	iexplore.exe
Token: SeBackupPrivilege	708	iexplore.exe
Token: SeRestorePrivilege	708	iexplore.exe
Token: SeShutdownPrivilege	708	iexplore.exe
Token: SeDebugPrivilege	708	iexplore.exe
Token: SeSystemEnvironmentPrivilege	708	iexplore.exe
Token: SeChangeNotifyPrivilege	708	iexplore.exe
Token: SeRemoteShutdownPrivilege	708	iexplore.exe
Token: SeUndockPrivilege	708	iexplore.exe
Token: SeManageVolumePrivilege	708	iexplore.exe
Token: SeImpersonatePrivilege	708	iexplore.exe
Token: SeCreateGlobalPrivilege	708	iexplore.exe
Token: 33	708	iexplore.exe
Token: 34	708	iexplore.exe
Token: 35	708	iexplore.exe
Token: 36	708	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exeiexplore.exe

pid process

2788 5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
3316 iexplore.exe
708 iexplore.exe

pid	process
2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
3316	iexplore.exe
708	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exeiexplore.exe

description	pid	process	target process
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2788 wrote to memory of 2012	2788	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
PID 2012 wrote to memory of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 2012 wrote to memory of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 2012 wrote to memory of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 2012 wrote to memory of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 2012 wrote to memory of 3316	2012	5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe
PID 3316 wrote to memory of 708	3316	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
"C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
C:\Users\Admin\AppData\Local\Temp\5cd2cf4667cb58941698b9777e76eb3ae9e3454c03ff337dc569481ec9a9fd61.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-133-0x0000000000000000-mapping.dmp

Download
memory/2012-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-137-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-139-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-140-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-141-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-131-0x0000000000400000-0x000000000060E894-memory.dmp

Filesize
2.1MB

Download
memory/2788-136-0x0000000000400000-0x000000000060E894-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads