darkcomet | fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb

General

Target

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Size

803KB
MD5

3a0639a82455512cc6b3e62de87f4731
SHA1

7f326297f899e97954953c779244bbbade00d6f4
SHA256

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb
SHA512

47ec748a97461a263b4c677c620296616cac84fa51a0b0212102d4c7350bf9d339fdf7934fa46689fe52a6f0d731157536b6bb85ff3841c03c5b3b8798007779
SSDEEP

12288:d8pU57DxU2ku9aM96k+naM3BjuUfS0qAPEIMWDXhE9qGerhRatWu6:a25Jhkm9rnMgUK0qBIVVGeD9

Score

10^/10

darkcomet zombie persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

jacksbotlist.zapto.org:1604

Mutex

DC_MUTEX-GB0F9SN

Attributes

gencode
oDRF7HD6Rs4F
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hosts = "C:\\Users\\Admin\\AppData\\Roaming\\hosts\\hosts.exe"	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

description	pid	process	target process
PID 1584 set thread context of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeSecurityPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeTakeOwnershipPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeLoadDriverPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeSystemProfilePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeSystemtimePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeProfSingleProcessPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeIncBasePriorityPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeCreatePagefilePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeBackupPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeRestorePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeShutdownPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeDebugPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeSystemEnvironmentPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeChangeNotifyPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeRemoteShutdownPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeUndockPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeManageVolumePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeImpersonatePrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: SeCreateGlobalPrivilege	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: 33	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: 34	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
Token: 35	956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

pid process

956 fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

pid	process
956	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

description	pid	process	target process
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
PID 1584 wrote to memory of 956	1584	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe	fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe

C:\Users\Admin\AppData\Local\Temp\fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
"C:\Users\Admin\AppData\Local\Temp\fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe
"C:\Users\Admin\AppData\Local\Temp\fd42ca44c810ec12475aa748620dd57a0aa8565ffb27bfc01201032b0561eceb.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-71-0x000000000048F888-mapping.dmp

Download
memory/956-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/956-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-75-0x00000000007D6000-0x00000000007E7000-memory.dmp

Filesize
68KB

Download
memory/1584-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-77-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads