darkcomet | 8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2

General

Target

8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
Size

1.4MB
MD5

7e97e65b7b90c1e50cf557c5b7454b4c
SHA1

9e3e0fa86d0b86d2ce1c6edee431024de9ab3643
SHA256

8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2
SHA512

e6708066672f41f3dbc081683519a1147f4234b350a4d27014805faf8671769f120cb2d8b07df8b3e2c9e6bc447ef43e14de475437aece09b5055ab18e3003f4
SSDEEP

24576:lb/J+1ptt5Un9GYHogKGZCsYlPFbFdbEDSfacoo2:lbUxzikfss0

Score

10^/10

darkcomet hf rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

rabbo-hotel.nl:1604

Mutex

DC_MUTEX-7F8DZX7

Attributes

gencode
Jfjp26UvqMcH
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
948	dikkelol.exe

Loads dropped DLL 2 IoCs

pid	Process
688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFRTJTJCXTGTJRGRW3KPNXVMBHWVFSVF7JB4VPJGF	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
File created	C:\ProgramData\DYA_LDQSIQRIPBLGWSVNI\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFRTJTJCXTGTJRGRW3KPNXVMBHWVFSVF7JB4VPJGF	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
File created	C:\Users\Public\Desktop:$SS_DESCRIPTOR_SBXNV9VVGV1BFRTJTJCXTGTJRGRW3KPNXVMBHWVFSVF7JB4VPJGF	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
Token: SeIncreaseQuotaPrivilege	948	dikkelol.exe
Token: SeSecurityPrivilege	948	dikkelol.exe
Token: SeTakeOwnershipPrivilege	948	dikkelol.exe
Token: SeLoadDriverPrivilege	948	dikkelol.exe
Token: SeSystemProfilePrivilege	948	dikkelol.exe
Token: SeSystemtimePrivilege	948	dikkelol.exe
Token: SeProfSingleProcessPrivilege	948	dikkelol.exe
Token: SeIncBasePriorityPrivilege	948	dikkelol.exe
Token: SeCreatePagefilePrivilege	948	dikkelol.exe
Token: SeBackupPrivilege	948	dikkelol.exe
Token: SeRestorePrivilege	948	dikkelol.exe
Token: SeShutdownPrivilege	948	dikkelol.exe
Token: SeDebugPrivilege	948	dikkelol.exe
Token: SeSystemEnvironmentPrivilege	948	dikkelol.exe
Token: SeChangeNotifyPrivilege	948	dikkelol.exe
Token: SeRemoteShutdownPrivilege	948	dikkelol.exe
Token: SeUndockPrivilege	948	dikkelol.exe
Token: SeManageVolumePrivilege	948	dikkelol.exe
Token: SeImpersonatePrivilege	948	dikkelol.exe
Token: SeCreateGlobalPrivilege	948	dikkelol.exe
Token: 33	948	dikkelol.exe
Token: 34	948	dikkelol.exe
Token: 35	948	dikkelol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
948	dikkelol.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 948	688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe	28
PID 688 wrote to memory of 948	688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe	28
PID 688 wrote to memory of 948	688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe	28
PID 688 wrote to memory of 948	688	8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe	28

C:\Users\Admin\AppData\Local\Temp\8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe
"C:\Users\Admin\AppData\Local\Temp\8d8cd5e4463edda11942a4b127af178b41683820fd0d193adf5da6d75534e2f2.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\AppData\Local\Temp\dikkelol.exe
  "C:\Users\Admin\AppData\Local\Temp\dikkelol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dikkelol.exe

Filesize
658KB

MD5
fd8bbbce20b93376f439c1ad6b6da018

SHA1
89012e84470bb2d9c7b8b34fe64d70105776ea3c

SHA256
6d122c0b37a45944b2781d347e9baa240be02a669759197e2a4ebf16a4b2dbb1

SHA512
edcc072b669e5824d167d2829510b1af01b85d6aa372a571ae1c3a561765252edb8a45ef7257fa44cb5e44ff096c5030aad4ca9c17eed2278c67a0eb2970a0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\dikkelol.exe

Filesize
658KB

MD5
fd8bbbce20b93376f439c1ad6b6da018

SHA1
89012e84470bb2d9c7b8b34fe64d70105776ea3c

SHA256
6d122c0b37a45944b2781d347e9baa240be02a669759197e2a4ebf16a4b2dbb1

SHA512
edcc072b669e5824d167d2829510b1af01b85d6aa372a571ae1c3a561765252edb8a45ef7257fa44cb5e44ff096c5030aad4ca9c17eed2278c67a0eb2970a0df

Download Submit
\Users\Admin\AppData\Local\Temp\dikkelol.exe

Filesize
658KB

MD5
fd8bbbce20b93376f439c1ad6b6da018

SHA1
89012e84470bb2d9c7b8b34fe64d70105776ea3c

SHA256
6d122c0b37a45944b2781d347e9baa240be02a669759197e2a4ebf16a4b2dbb1

SHA512
edcc072b669e5824d167d2829510b1af01b85d6aa372a571ae1c3a561765252edb8a45ef7257fa44cb5e44ff096c5030aad4ca9c17eed2278c67a0eb2970a0df

Download Submit
\Users\Admin\AppData\Local\Temp\dikkelol.exe

Filesize
658KB

MD5
fd8bbbce20b93376f439c1ad6b6da018

SHA1
89012e84470bb2d9c7b8b34fe64d70105776ea3c

SHA256
6d122c0b37a45944b2781d347e9baa240be02a669759197e2a4ebf16a4b2dbb1

SHA512
edcc072b669e5824d167d2829510b1af01b85d6aa372a571ae1c3a561765252edb8a45ef7257fa44cb5e44ff096c5030aad4ca9c17eed2278c67a0eb2970a0df

Download Submit
memory/688-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/688-56-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/688-57-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/688-58-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/688-64-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing