darkcomet | 658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5

General

Target

658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Size

864KB
MD5

3b20b8c293a77a58aa06f676f8a1e740
SHA1

fd3ba3d772d9825a5a46b7b1f972c622cc6e6295
SHA256

658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5
SHA512

6e2c33a3ae75250769e3d072bcc582f7e42ffea38052a34491373f688d3a50c0fa79027228349ac5d6f29880127a498aca769d557b7e639bb8ff78434439a594
SSDEEP

24576:JBUoLflHL2FdOSKep/Ma0uKiyQLYtLQ01/zm5k9F:JBUoLflHkxp6uH1A5rF

Score

10^/10

darkcomet deneme rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

deneme

C2

127.0.0.1:81

Mutex

DC_MUTEX-8VSVPEU

Attributes

gencode
3Yf7trdBihw9
install
false
offline_keylogger
true
password
302010905
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	4032	WerFault.exe	80

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4300 set thread context of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeSecurityPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeTakeOwnershipPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeLoadDriverPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeSystemProfilePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeSystemtimePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeProfSingleProcessPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeIncBasePriorityPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeCreatePagefilePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeBackupPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeRestorePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeShutdownPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeDebugPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeSystemEnvironmentPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeChangeNotifyPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeRemoteShutdownPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeUndockPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeManageVolumePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeImpersonatePrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: SeCreateGlobalPrivilege	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: 33	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: 34	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: 35	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
Token: 36	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4868 wrote to memory of 4300	4868	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	79
PID 4300 wrote to memory of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80
PID 4300 wrote to memory of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80
PID 4300 wrote to memory of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80
PID 4300 wrote to memory of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80
PID 4300 wrote to memory of 4032	4300	658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe	80

C:\Users\Admin\AppData\Local\Temp\658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
"C:\Users\Admin\AppData\Local\Temp\658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
  C:\Users\Admin\AppData\Local\Temp\658defe9f2a25dc191a378e27f019fcf4da73d4cc3d8ab6767ab22f0a8a680b5.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Drops file in Program Files directory
    PID:4032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 272
      4⤵
      Program crash
      PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4032 -ip 4032
1⤵
PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4300-134-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4300-133-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4300-136-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4300-137-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4300-138-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4868-135-0x0000000000630000-0x0000000000634000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing