darkcomet | aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318

General

Target

aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe
Size

1000KB
MD5

ff45a87a948408437d7fb81c881fe0ff
SHA1

378fb8206420205e2059fe7f3bca8bb0c409c9af
SHA256

aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318
SHA512

877de2c53e041b6ac27d4eba2ba32a6214972d1ac958755f2032811a13489cc235b077257a76785039a0a3c1821473dc5a46ea820dae93396c2f45df2ec656aa
SSDEEP

24576:rOVW8UTztPnxfLDI52L9QbzpSFIXYN2nfiOng0+a8njwj:rmYtJf2blWJG9j

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

oprecizion.no-ip.biz:1852

Mutex

DC_MUTEX-XTT89EM

Attributes

gencode
DkxMTkGP6J6a
install
false
offline_keylogger
true
password
bamboo
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	604	vbc.exe
Token: SeSecurityPrivilege	604	vbc.exe
Token: SeTakeOwnershipPrivilege	604	vbc.exe
Token: SeLoadDriverPrivilege	604	vbc.exe
Token: SeSystemProfilePrivilege	604	vbc.exe
Token: SeSystemtimePrivilege	604	vbc.exe
Token: SeProfSingleProcessPrivilege	604	vbc.exe
Token: SeIncBasePriorityPrivilege	604	vbc.exe
Token: SeCreatePagefilePrivilege	604	vbc.exe
Token: SeBackupPrivilege	604	vbc.exe
Token: SeRestorePrivilege	604	vbc.exe
Token: SeShutdownPrivilege	604	vbc.exe
Token: SeDebugPrivilege	604	vbc.exe
Token: SeSystemEnvironmentPrivilege	604	vbc.exe
Token: SeChangeNotifyPrivilege	604	vbc.exe
Token: SeRemoteShutdownPrivilege	604	vbc.exe
Token: SeUndockPrivilege	604	vbc.exe
Token: SeManageVolumePrivilege	604	vbc.exe
Token: SeImpersonatePrivilege	604	vbc.exe
Token: SeCreateGlobalPrivilege	604	vbc.exe
Token: 33	604	vbc.exe
Token: 34	604	vbc.exe
Token: 35	604	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
604	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26
PID 1508 wrote to memory of 604	1508	aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe	26

C:\Users\Admin\AppData\Local\Temp\aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe
"C:\Users\Admin\AppData\Local\Temp\aabe9a788e56f3d9b79c93989ed6bca0c0a3bf0cf00afdd4cb8bb9623ac8e318.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-77-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/604-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1508-74-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing