darkcomet | bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525

General

Target

bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe
Size

711KB
MD5

6b89debe6b4f77575ed13573d151c8a0
SHA1

ae98f7b6189fe696e54d37632b295cd97b22a159
SHA256

bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525
SHA512

0cc696f46609ff783c5ace576c8578388fe210ef02eb6445af99fb8a91e1894d6ae30485410eeac5127850a17c6724551c2922b18bacb3e4904c3f1a16c7b615
SSDEEP

12288:y3JoPm2Sz76s6ofzHyost1YXGpD/Mrph6diC8JiGKaYjWbV8rqjy:y3JovSz2GrHyBQGF/Mrph6diC8JiCirT

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cheesium.no-ip.biz:200

Mutex

DC_MUTEX-YEDPAUH

Attributes

gencode
v27eZqvuiVP7
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe
Token: SeIncreaseQuotaPrivilege	984	cvtres.exe
Token: SeSecurityPrivilege	984	cvtres.exe
Token: SeTakeOwnershipPrivilege	984	cvtres.exe
Token: SeLoadDriverPrivilege	984	cvtres.exe
Token: SeSystemProfilePrivilege	984	cvtres.exe
Token: SeSystemtimePrivilege	984	cvtres.exe
Token: SeProfSingleProcessPrivilege	984	cvtres.exe
Token: SeIncBasePriorityPrivilege	984	cvtres.exe
Token: SeCreatePagefilePrivilege	984	cvtres.exe
Token: SeBackupPrivilege	984	cvtres.exe
Token: SeRestorePrivilege	984	cvtres.exe
Token: SeShutdownPrivilege	984	cvtres.exe
Token: SeDebugPrivilege	984	cvtres.exe
Token: SeSystemEnvironmentPrivilege	984	cvtres.exe
Token: SeChangeNotifyPrivilege	984	cvtres.exe
Token: SeRemoteShutdownPrivilege	984	cvtres.exe
Token: SeUndockPrivilege	984	cvtres.exe
Token: SeManageVolumePrivilege	984	cvtres.exe
Token: SeImpersonatePrivilege	984	cvtres.exe
Token: SeCreateGlobalPrivilege	984	cvtres.exe
Token: 33	984	cvtres.exe
Token: 34	984	cvtres.exe
Token: 35	984	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
984	cvtres.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27
PID 1900 wrote to memory of 984	1900	bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe	27

C:\Users\Admin\AppData\Local\Temp\bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe
"C:\Users\Admin\AppData\Local\Temp\bd47896918f2cfc0d50de285a98f22ec4069a6c259dc24843d9c167853c3d525.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/984-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/984-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/984-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/984-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1900-55-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-61-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing