darkcomet | 3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19

General

Target

3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe
Size

1.2MB
MD5

3f125b54046ba17396564b31e80eda49
SHA1

2b975d773ebbe754aab18cc6dd0645246cb7d0f4
SHA256

3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19
SHA512

a2caf1b0da2aa9c0c4a78ac7eca055d109fff05a397123ea5542cfcbf07efb9a1fde831f419ea4759d81b2b56d39b61848ea76ccd6947f5e10ff0d79a662772b
SSDEEP

12288:fbnrIyCRcB5CdGqK1QLmgWCnR1vbt9qJnUW1+zvSWulr3J2H7BUkwMVbC3dP:XIB3KgWqPjCiaWuFcH7Bj23dP

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

ZZ12SADH82GG6SDGZZ12SADH82GG6SDG

pid process

596 ZZ12SADH82GG6SDG
516 ZZ12SADH82GG6SDG

pid	process
596	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG

Drops startup file 1 IoCs

Processes:

3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZ8209982739018.vbs	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe

Loads dropped DLL 1 IoCs

Processes:

3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe

pid process

1628 3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ZZ12SADH82GG6SDG

description pid process target process

PID 596 set thread context of 1340 596 ZZ12SADH82GG6SDG iexplore.exe

pid	process
1628	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe

description	pid	process	target process
PID 596 set thread context of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ZZ12SADH82GG6SDG

pid	process
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG
516	ZZ12SADH82GG6SDG

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

iexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1340	iexplore.exe
Token: SeSecurityPrivilege	1340	iexplore.exe
Token: SeTakeOwnershipPrivilege	1340	iexplore.exe
Token: SeLoadDriverPrivilege	1340	iexplore.exe
Token: SeSystemProfilePrivilege	1340	iexplore.exe
Token: SeSystemtimePrivilege	1340	iexplore.exe
Token: SeProfSingleProcessPrivilege	1340	iexplore.exe
Token: SeIncBasePriorityPrivilege	1340	iexplore.exe
Token: SeCreatePagefilePrivilege	1340	iexplore.exe
Token: SeBackupPrivilege	1340	iexplore.exe
Token: SeRestorePrivilege	1340	iexplore.exe
Token: SeShutdownPrivilege	1340	iexplore.exe
Token: SeDebugPrivilege	1340	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1340	iexplore.exe
Token: SeChangeNotifyPrivilege	1340	iexplore.exe
Token: SeRemoteShutdownPrivilege	1340	iexplore.exe
Token: SeUndockPrivilege	1340	iexplore.exe
Token: SeManageVolumePrivilege	1340	iexplore.exe
Token: SeImpersonatePrivilege	1340	iexplore.exe
Token: SeCreateGlobalPrivilege	1340	iexplore.exe
Token: 33	1340	iexplore.exe
Token: 34	1340	iexplore.exe
Token: 35	1340	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1340 iexplore.exe

pid	process
1340	iexplore.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exeZZ12SADH82GG6SDG

description	pid	process	target process
PID 1628 wrote to memory of 596	1628	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe	ZZ12SADH82GG6SDG
PID 1628 wrote to memory of 596	1628	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe	ZZ12SADH82GG6SDG
PID 1628 wrote to memory of 596	1628	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe	ZZ12SADH82GG6SDG
PID 1628 wrote to memory of 596	1628	3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe	ZZ12SADH82GG6SDG
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 1340	596	ZZ12SADH82GG6SDG	iexplore.exe
PID 596 wrote to memory of 516	596	ZZ12SADH82GG6SDG	ZZ12SADH82GG6SDG
PID 596 wrote to memory of 516	596	ZZ12SADH82GG6SDG	ZZ12SADH82GG6SDG
PID 596 wrote to memory of 516	596	ZZ12SADH82GG6SDG	ZZ12SADH82GG6SDG
PID 596 wrote to memory of 516	596	ZZ12SADH82GG6SDG	ZZ12SADH82GG6SDG

C:\Users\Admin\AppData\Local\Temp\3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe
"C:\Users\Admin\AppData\Local\Temp\3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG
"C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG
"C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG" P2R8I8T AMVMJTJPD 1340
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG

Filesize
1.2MB

MD5
3f125b54046ba17396564b31e80eda49

SHA1
2b975d773ebbe754aab18cc6dd0645246cb7d0f4

SHA256
3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19

SHA512
a2caf1b0da2aa9c0c4a78ac7eca055d109fff05a397123ea5542cfcbf07efb9a1fde831f419ea4759d81b2b56d39b61848ea76ccd6947f5e10ff0d79a662772b

Download Submit
C:\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG

Filesize
1.2MB

MD5
3f125b54046ba17396564b31e80eda49

SHA1
2b975d773ebbe754aab18cc6dd0645246cb7d0f4

SHA256
3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19

SHA512
a2caf1b0da2aa9c0c4a78ac7eca055d109fff05a397123ea5542cfcbf07efb9a1fde831f419ea4759d81b2b56d39b61848ea76ccd6947f5e10ff0d79a662772b

Download Submit
\Users\Admin\AppData\Roaming\ZZ12SADH82GG6SDG

Filesize
1.2MB

MD5
3f125b54046ba17396564b31e80eda49

SHA1
2b975d773ebbe754aab18cc6dd0645246cb7d0f4

SHA256
3bcfefd9098c6525ac995ca0ddb2b08edfb90a8005f38faa2db3caadcd1e8b19

SHA512
a2caf1b0da2aa9c0c4a78ac7eca055d109fff05a397123ea5542cfcbf07efb9a1fde831f419ea4759d81b2b56d39b61848ea76ccd6947f5e10ff0d79a662772b

Download Submit
memory/516-59-0x0000000000000000-mapping.dmp

Download
memory/596-56-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads