darkcomet | f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01

General

Target

f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe
Size

463KB
MD5

32d6ee67d7d73a8a47022dab10e4216d
SHA1

27e83c7c0a634f546c978272b57eda2d203c9eb5
SHA256

f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01
SHA512

d29add42c7cca752651a51e0e8fb3d1129680217a034beed644e67ba30bf62e1e944d473a861adddb29499b945fef373d4d972cc381622596b7444819ae13e82
SSDEEP

12288:6mQvKAimrC+QrxKgeuDwOVC2rbmEqhlLhtQCs6F9DQq/omI:6Fv0mrC+QrxGh+C2rbFq7htQC3

Score

10^/10

darkcomet normal rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Normal

C2

loageht.no-ip.biz:200

Mutex

DC_MUTEX-XH7AAPW

Attributes

gencode
YaMcdkD8D9U1
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

Processes:

f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe

description	pid	process	target process
PID 1632 set thread context of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe
Token: SeIncreaseQuotaPrivilege	2040	svchost.exe
Token: SeSecurityPrivilege	2040	svchost.exe
Token: SeTakeOwnershipPrivilege	2040	svchost.exe
Token: SeLoadDriverPrivilege	2040	svchost.exe
Token: SeSystemProfilePrivilege	2040	svchost.exe
Token: SeSystemtimePrivilege	2040	svchost.exe
Token: SeProfSingleProcessPrivilege	2040	svchost.exe
Token: SeIncBasePriorityPrivilege	2040	svchost.exe
Token: SeCreatePagefilePrivilege	2040	svchost.exe
Token: SeBackupPrivilege	2040	svchost.exe
Token: SeRestorePrivilege	2040	svchost.exe
Token: SeShutdownPrivilege	2040	svchost.exe
Token: SeDebugPrivilege	2040	svchost.exe
Token: SeSystemEnvironmentPrivilege	2040	svchost.exe
Token: SeChangeNotifyPrivilege	2040	svchost.exe
Token: SeRemoteShutdownPrivilege	2040	svchost.exe
Token: SeUndockPrivilege	2040	svchost.exe
Token: SeManageVolumePrivilege	2040	svchost.exe
Token: SeImpersonatePrivilege	2040	svchost.exe
Token: SeCreateGlobalPrivilege	2040	svchost.exe
Token: 33	2040	svchost.exe
Token: 34	2040	svchost.exe
Token: 35	2040	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2040 svchost.exe

pid	process
2040	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe

description	pid	process	target process
PID 1632 wrote to memory of 1264	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	CMD.exe
PID 1632 wrote to memory of 1264	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	CMD.exe
PID 1632 wrote to memory of 1264	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	CMD.exe
PID 1632 wrote to memory of 1264	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	CMD.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe
PID 1632 wrote to memory of 2040	1632	f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe
"C:\Users\Admin\AppData\Local\Temp\f2a68c4b25c8c6f2533ec838f0a0a754a6053fcbee60442559fed5d8e315ce01.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:1264
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-55-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1632-77-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-74-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-71-0x000000000048F888-mapping.dmp

Download
memory/2040-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2040-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads