darkcomet | 7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983

General

Target

7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Size

999KB
MD5

bd7b0ce05cd09c1b6ac1a23b0b4a965d
SHA1

bff7ebfdde85c7ce93fbbaac1fdc87839ad5899a
SHA256

7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983
SHA512

2ad332133a186de4cad39518a47b3af84b737c06eaf7f40d023b55b4c0cffe86eb754aa1f70e63551e33a96f6949b197404cbcdb3623aebee009f3b1ce85402f
SSDEEP

12288:hj5d9ZB6WyB1H8mmRbVQhV5u4PFKE6/khqPpcM/:lzgWyvgRZ6B9X6scd/

Score

10^/10

darkcomet cspd1044 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

cspd1044

C2

pois111.no-ip.info:1619

pois111.dyndns.info:1618

31.204.153.75:1617

Mutex

DC_MUTEX-L47V2RU

Attributes

gencode
McYVnPEswVGe
install
false
offline_keylogger
true
password
x10r2
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeIncreaseQuotaPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeSecurityPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeTakeOwnershipPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeLoadDriverPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeSystemProfilePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeSystemtimePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeProfSingleProcessPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeIncBasePriorityPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeCreatePagefilePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeBackupPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeRestorePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeShutdownPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeDebugPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeSystemEnvironmentPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeChangeNotifyPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeRemoteShutdownPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeUndockPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeManageVolumePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeImpersonatePrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: SeCreateGlobalPrivilege	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: 33	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: 34	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: 35	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
Token: 36	2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2248	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89
PID 4848 wrote to memory of 2248	4848	7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe	89

C:\Users\Admin\AppData\Local\Temp\7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
"C:\Users\Admin\AppData\Local\Temp\7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
  C:\Users\Admin\AppData\Local\Temp\7835141baa42020502a32b5d1fb831d87ed08e6f8f97dbafb4f71bcaab07a983.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-134-0x0000000000000000-mapping.dmp

Download
memory/2248-135-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2248-136-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2248-137-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4848-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4848-133-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/4848-138-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing