Overview

overview

10

Static

static

94083535c2...86.exe

windows7-x64

10

94083535c2...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686.exe

  • Size

    873KB

  • MD5

    30579e0d9d850264acc6019518fcd1a8

  • SHA1

    4b978cdfbe709286814040d65b757db967d3897a

  • SHA256

    94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686

  • SHA512

    44a3bdf0c26e727b96a88e9d35616a5b6efabdd228c590fed2107dbdac02cfc47b9722bae805cc3fef863913b0e18b34e02e3d6837cbd9ca9fd84aa08ed7eff3

  • SSDEEP

    12288:2GopSuXh1gducHobZ5TTXraU4RFH4nQFAvQsg1W98a/Xcg5P0wf7:2x7baPF6QFAvSW986j007

Score
10/10
darkcometguest16rattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

kelvindrk.no-ip.biz:1008

Mutex

DC_MUTEX-DXAW4U7

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    B7nmveDZ5jn1

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686.exe
    "C:\Users\Admin\AppData\Local\Temp\94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686.exe
      "C:\Users\Admin\AppData\Local\Temp\94083535c21ab05d2f041cf7b99da107adb38c8a871163305f4027ebf389c686.exe"
      2⤵
        PID:4808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 520
          3⤵
          • Program crash
          PID:4480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4808 -ip 4808
      1⤵
        PID:740

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/812-132-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/812-133-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/812-139-0x0000000074C70000-0x0000000075221000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/4808-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4808-136-0x0000000000800000-0x00000000008B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/4808-142-0x0000000000800000-0x00000000008B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/4808-147-0x0000000000800000-0x00000000008B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/4808-148-0x0000000000800000-0x00000000008B2000-memory.dmp
        Filesize

        712KB

        Download