darkcomet | e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01

General

Target

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
Size

1.4MB
MD5

6c6c16697a1a4163f878854d813e2481
SHA1

3cfaf6af2b24dcc8f960163e31d9e4b8299774d6
SHA256

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01
SHA512

42780b13a478a4b6d62495923fcfcbcab12390b2e3f263c3a2b7382695592f1c807c61d886686a25fb30ea2ab3721ca2dbb988fa71bbdcde4df6b15f57afe69a
SSDEEP

24576:eRmJkcoQricOIQxiZY1iaYU9U2A5kbcUFBO4g262ylRoYo9E:LJZoQrbTFZY1iaR9U26GcUk262h8

Score

10^/10

darkcomet guest rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

C2

dutchrape.ddns.net:25489

Mutex

DC_MUTEX-4BJ94T2

Attributes

gencode
1hayM07mrFRJ
install
false
offline_keylogger
true
password
password9356
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1104-59-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1104-61-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1104-62-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1104-65-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1104-66-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1104-69-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1348-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1348-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1104-83-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/1348-84-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exesvchost.exe

description	pid	process	target process
PID 1352 set thread context of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1104 set thread context of 1348	1104	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exesvchost.exe

pid	process
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe
1104	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1348	svchost.exe
Token: SeSecurityPrivilege	1348	svchost.exe
Token: SeTakeOwnershipPrivilege	1348	svchost.exe
Token: SeLoadDriverPrivilege	1348	svchost.exe
Token: SeSystemProfilePrivilege	1348	svchost.exe
Token: SeSystemtimePrivilege	1348	svchost.exe
Token: SeProfSingleProcessPrivilege	1348	svchost.exe
Token: SeIncBasePriorityPrivilege	1348	svchost.exe
Token: SeCreatePagefilePrivilege	1348	svchost.exe
Token: SeBackupPrivilege	1348	svchost.exe
Token: SeRestorePrivilege	1348	svchost.exe
Token: SeShutdownPrivilege	1348	svchost.exe
Token: SeDebugPrivilege	1348	svchost.exe
Token: SeSystemEnvironmentPrivilege	1348	svchost.exe
Token: SeChangeNotifyPrivilege	1348	svchost.exe
Token: SeRemoteShutdownPrivilege	1348	svchost.exe
Token: SeUndockPrivilege	1348	svchost.exe
Token: SeManageVolumePrivilege	1348	svchost.exe
Token: SeImpersonatePrivilege	1348	svchost.exe
Token: SeCreateGlobalPrivilege	1348	svchost.exe
Token: 33	1348	svchost.exe
Token: 34	1348	svchost.exe
Token: 35	1348	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

pid	process
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

pid	process
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1104 svchost.exe
1348 svchost.exe

pid	process
1104	svchost.exe
1348	svchost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exee23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exesvchost.exesvchost.exe

description	pid	process	target process
PID 344 wrote to memory of 1352	344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 344 wrote to memory of 1352	344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 344 wrote to memory of 1352	344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 344 wrote to memory of 1352	344	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1352 wrote to memory of 1104	1352	e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1104 wrote to memory of 1348	1104	svchost.exe	svchost.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe
PID 1348 wrote to memory of 1912	1348	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
"C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe
C:\Users\Admin\AppData\Local\Temp\e23631c3ebc6ed8f16449ad86a485f769cd8b4da96c857c9e59121f9ac4c4c01.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\test.a3x"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352

\??\c:\windows\SysWOW64\svchost.exe
"c:\windows\system32\svchost.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.a3x
Filesize
484KB

MD5
ec29165f4264777325a3ff2916356fc1

SHA1
b0eea8a09b47ee5401b5622b28d96ca88c7a1d04

SHA256
b92b1bd53e3feb88f852d8c43eca5147ef90baee939c1da20dd576f4844b595c

SHA512
4187121b736be8f644f3ad3a1b12ada0e26f551e6e5b847e6b2793e525d3aeaa0c918feb0a970b596b6835ecee7c05ce4354df110934e8cf8f719a9d08034704

Download Submit
memory/344-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1104-69-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-58-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-59-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-61-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-62-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-63-0x0000000000496A10-mapping.dmp

Download
memory/1104-65-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-66-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1104-83-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1348-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-75-0x00000000004B5050-mapping.dmp

Download
memory/1348-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1348-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1912-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads