darkcomet | b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179

General

Target

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
Size

480KB
MD5

3c7e0a467e0f70f2296f5f866adf5093
SHA1

36531907e9a331226cd754dfd5fca79f5d3a0b25
SHA256

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179
SHA512

9ebb345fefe55e59ef77749c9b79a9b3e2e7a63360fc5cc884b0e39434926e787052a8c8f3e1f4b7f3835d7db6112f4b487cf3a917329a1fa1d567a09b8429f4
SSDEEP

12288:bgAEHD+lRMtTgVRXlzoFYaGOxutLyM4hYpPg3e:8j+4BgVRl0Fl6I

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

DarkxStormZz.mooo.com:1604

Mutex

DCMIN_MUTEX-5LQ7BM8

Attributes

gencode
pszLU1UQLQm4
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\CyberGhost 5 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe"	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

description	pid	process	target process
PID 2020 set thread context of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

pid	process
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
Token: SeIncreaseQuotaPrivilege	864	notepad.exe
Token: SeSecurityPrivilege	864	notepad.exe
Token: SeTakeOwnershipPrivilege	864	notepad.exe
Token: SeLoadDriverPrivilege	864	notepad.exe
Token: SeSystemProfilePrivilege	864	notepad.exe
Token: SeSystemtimePrivilege	864	notepad.exe
Token: SeProfSingleProcessPrivilege	864	notepad.exe
Token: SeIncBasePriorityPrivilege	864	notepad.exe
Token: SeCreatePagefilePrivilege	864	notepad.exe
Token: SeBackupPrivilege	864	notepad.exe
Token: SeRestorePrivilege	864	notepad.exe
Token: SeShutdownPrivilege	864	notepad.exe
Token: SeDebugPrivilege	864	notepad.exe
Token: SeSystemEnvironmentPrivilege	864	notepad.exe
Token: SeChangeNotifyPrivilege	864	notepad.exe
Token: SeRemoteShutdownPrivilege	864	notepad.exe
Token: SeUndockPrivilege	864	notepad.exe
Token: SeManageVolumePrivilege	864	notepad.exe
Token: SeImpersonatePrivilege	864	notepad.exe
Token: SeCreateGlobalPrivilege	864	notepad.exe
Token: 33	864	notepad.exe
Token: 34	864	notepad.exe
Token: 35	864	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad.exe

pid process

864 notepad.exe

pid	process
864	notepad.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe

description	pid	process	target process
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe
PID 2020 wrote to memory of 864	2020	b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe
"C:\Users\Admin\AppData\Local\Temp\b9220af32c1f120b9ef5ff1ef00f215ad5548546f0ff883b7e184e3fa4dc3179.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/864-72-0x000000000048F888-mapping.dmp

Download
memory/864-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2020-55-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-56-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads