darkcomet | 522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a

General

Target

522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe
Size

699KB
MD5

1a91a89bfc87b526e69280abeb3e528e
SHA1

a0ef34b93142a4c02f9b8dab81fccd48b290211b
SHA256

522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a
SHA512

787c237f4ff7cdf5e48c4fd8800ebad33a0e0369819286cd285eb6facb78f29ec65295bcfbe3f8e9f5debae0ebcf1955fb0795e046760fceb47664cd04c01bf7
SSDEEP

12288:5gPNTrkQIgegZYsO165OOfYFc9koGg1+8faI+nQ+xtEBafb68xC1PA:5aNTQQIgeU3O1FOrGg1+AaIZkakz6n1I

Score

10^/10

darkcomet guest16_min rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

96.29.209.33:1604

Mutex

DCMIN_MUTEX-VG70KUE

Attributes

gencode
8teTVlZE6Lrc
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeSecurityPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeTakeOwnershipPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeLoadDriverPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeSystemProfilePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeSystemtimePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeProfSingleProcessPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeIncBasePriorityPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeCreatePagefilePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeBackupPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeRestorePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeShutdownPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeDebugPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeSystemEnvironmentPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeChangeNotifyPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeRemoteShutdownPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeUndockPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeManageVolumePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeImpersonatePrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: SeCreateGlobalPrivilege	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: 33	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: 34	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
Token: 35	1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe
1332	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27
PID 1768 wrote to memory of 1332	1768	522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe	27

C:\Users\Admin\AppData\Local\Temp\522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe
"C:\Users\Admin\AppData\Local\Temp\522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE
  "C:\Users\Admin\AppData\Local\Temp\522f5a26d24f2aa64e7a6c0d0c437e89e6aa56e5d93d848ec95eb21fc406d59a.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-71-0x000000000048F888-mapping.dmp

Download
memory/1332-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-73-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1332-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1332-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing