darkcomet | 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

General

Target

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
Size

1.4MB
MD5

57c70ac8a46540077bc85eb33ffceea4
SHA1

1eee0eac9cd92889c2e2485fc3930251024dca3a
SHA256

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA512

8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
SSDEEP

24576:v1A/bjvJyQiFqwqbKaWbxL+YthDNRjKZmbj6MUX/4bhMtwNyAGR619Z6awzwhbiG:v1ev98aWd/zRjKZjMUX/4b2twNyAVZ6a

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

178.118.159.7:2500

Mutex

DC_MUTEX-KTLT5KQ

Attributes

gencode
NGjrQs4d1gxe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

insecure.exeinsecure.exe

pid process

1264 insecure.exe
1096 insecure.exe

pid	process
1264	insecure.exe
1096	insecure.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1892-54-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral1/memory/1892-55-0x0000000000400000-0x0000000000873000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
behavioral1/memory/1892-61-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral1/memory/1264-62-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral1/memory/1264-63-0x0000000000400000-0x0000000000873000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
behavioral1/memory/1264-82-0x0000000000400000-0x0000000000873000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Security.vbs	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

Loads dropped DLL 2 IoCs

Processes:

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

pid	process
1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

insecure.exe

description pid process target process

PID 1264 set thread context of 1096 1264 insecure.exe insecure.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1264 set thread context of 1096	1264	insecure.exe	insecure.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

insecure.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1096	insecure.exe
Token: SeSecurityPrivilege	1096	insecure.exe
Token: SeTakeOwnershipPrivilege	1096	insecure.exe
Token: SeLoadDriverPrivilege	1096	insecure.exe
Token: SeSystemProfilePrivilege	1096	insecure.exe
Token: SeSystemtimePrivilege	1096	insecure.exe
Token: SeProfSingleProcessPrivilege	1096	insecure.exe
Token: SeIncBasePriorityPrivilege	1096	insecure.exe
Token: SeCreatePagefilePrivilege	1096	insecure.exe
Token: SeBackupPrivilege	1096	insecure.exe
Token: SeRestorePrivilege	1096	insecure.exe
Token: SeShutdownPrivilege	1096	insecure.exe
Token: SeDebugPrivilege	1096	insecure.exe
Token: SeSystemEnvironmentPrivilege	1096	insecure.exe
Token: SeChangeNotifyPrivilege	1096	insecure.exe
Token: SeRemoteShutdownPrivilege	1096	insecure.exe
Token: SeUndockPrivilege	1096	insecure.exe
Token: SeManageVolumePrivilege	1096	insecure.exe
Token: SeImpersonatePrivilege	1096	insecure.exe
Token: SeCreateGlobalPrivilege	1096	insecure.exe
Token: 33	1096	insecure.exe
Token: 34	1096	insecure.exe
Token: 35	1096	insecure.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

insecure.exe

pid process

1096 insecure.exe

pid	process
1096	insecure.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exeinsecure.exe

description	pid	process	target process
PID 1892 wrote to memory of 1264	1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 1892 wrote to memory of 1264	1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 1892 wrote to memory of 1264	1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 1892 wrote to memory of 1264	1892	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe
PID 1264 wrote to memory of 1096	1264	insecure.exe	insecure.exe

C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
"C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
memory/1096-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-81-0x000000000048F888-mapping.dmp

Download
memory/1096-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1096-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1264-82-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1264-63-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1264-62-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1892-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1892-55-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1892-54-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1892-61-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads