darkcomet | 74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

General

Target

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
Size

1.4MB
MD5

57c70ac8a46540077bc85eb33ffceea4
SHA1

1eee0eac9cd92889c2e2485fc3930251024dca3a
SHA256

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d
SHA512

8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86
SSDEEP

24576:v1A/bjvJyQiFqwqbKaWbxL+YthDNRjKZmbj6MUX/4bhMtwNyAGR619Z6awzwhbiG:v1ev98aWd/zRjKZjMUX/4b2twNyAVZ6a

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

178.118.159.7:2500

Mutex

DC_MUTEX-KTLT5KQ

Attributes

gencode
NGjrQs4d1gxe
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

insecure.exeinsecure.exe

pid process

3784 insecure.exe
4684 insecure.exe

pid	process
3784	insecure.exe
4684	insecure.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5008-132-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral2/memory/5008-133-0x0000000000400000-0x0000000000873000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
behavioral2/memory/5008-137-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral2/memory/3784-138-0x0000000000400000-0x0000000000873000-memory.dmp	upx
behavioral2/memory/3784-139-0x0000000000400000-0x0000000000873000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe	upx
behavioral2/memory/3784-144-0x0000000000400000-0x0000000000873000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Security.vbs	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

insecure.exe

description pid process target process

PID 3784 set thread context of 4684 3784 insecure.exe insecure.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3784 set thread context of 4684	3784	insecure.exe	insecure.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

insecure.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4684	insecure.exe
Token: SeSecurityPrivilege	4684	insecure.exe
Token: SeTakeOwnershipPrivilege	4684	insecure.exe
Token: SeLoadDriverPrivilege	4684	insecure.exe
Token: SeSystemProfilePrivilege	4684	insecure.exe
Token: SeSystemtimePrivilege	4684	insecure.exe
Token: SeProfSingleProcessPrivilege	4684	insecure.exe
Token: SeIncBasePriorityPrivilege	4684	insecure.exe
Token: SeCreatePagefilePrivilege	4684	insecure.exe
Token: SeBackupPrivilege	4684	insecure.exe
Token: SeRestorePrivilege	4684	insecure.exe
Token: SeShutdownPrivilege	4684	insecure.exe
Token: SeDebugPrivilege	4684	insecure.exe
Token: SeSystemEnvironmentPrivilege	4684	insecure.exe
Token: SeChangeNotifyPrivilege	4684	insecure.exe
Token: SeRemoteShutdownPrivilege	4684	insecure.exe
Token: SeUndockPrivilege	4684	insecure.exe
Token: SeManageVolumePrivilege	4684	insecure.exe
Token: SeImpersonatePrivilege	4684	insecure.exe
Token: SeCreateGlobalPrivilege	4684	insecure.exe
Token: 33	4684	insecure.exe
Token: 34	4684	insecure.exe
Token: 35	4684	insecure.exe
Token: 36	4684	insecure.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

insecure.exe

pid process

4684 insecure.exe

pid	process
4684	insecure.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exeinsecure.exe

description	pid	process	target process
PID 5008 wrote to memory of 3784	5008	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 5008 wrote to memory of 3784	5008	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 5008 wrote to memory of 3784	5008	74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe
PID 3784 wrote to memory of 4684	3784	insecure.exe	insecure.exe

C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe
"C:\Users\Admin\AppData\Local\Temp\74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
"C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
C:\Users\Admin\AppData\Roaming\Internet Security\insecure.exe
Filesize
1.4MB

MD5
57c70ac8a46540077bc85eb33ffceea4

SHA1
1eee0eac9cd92889c2e2485fc3930251024dca3a

SHA256
74a02200862782e88cccfbfa4a9accb9c6f963036471587d36748dea1cf2993d

SHA512
8ea27a248fcb878dece1ca23f79e244e8cdb7337f3186f3c922193cacba9910f8a3ff49bfe4f13941d7d286d464e54f229408b84f816c30df8579d4387faca86

Download Submit
memory/3784-138-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/3784-134-0x0000000000000000-mapping.dmp

Download
memory/3784-139-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/3784-144-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4684-140-0x0000000000000000-mapping.dmp

Download
memory/4684-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4684-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4684-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4684-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5008-137-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/5008-132-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/5008-133-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads