darkcomet | 3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4

General

Target

3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe
Size

712KB
MD5

60535d269d5a2844a0eddfb8f7cb2390
SHA1

dccccfea4db8bc05fa841e0318f02b592c343e9f
SHA256

3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4
SHA512

c983fdb3f1f545699e250ea2fd8e92c51356a5574d26d8d8f7bf7037fb4dbe6f639cf3d1c4194661f3498a7f960f4a2917ef4aefa2bdad63c27ca939b8e75604
SSDEEP

12288:Rh1Lk70TnvjcTzqplcGds7hqiLBNicoN3cSuIy3goj4lcQlR7pWEjTSjogqNyy:Nk70TrcXqfcEs93L5OC2ocTNp9y9y

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
1948	Windows.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-57-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1948-60-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1948-62-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1948-63-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1948-64-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral1/memory/1948-66-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe
Token: SeIncreaseQuotaPrivilege	1948	Windows.exe
Token: SeSecurityPrivilege	1948	Windows.exe
Token: SeTakeOwnershipPrivilege	1948	Windows.exe
Token: SeLoadDriverPrivilege	1948	Windows.exe
Token: SeSystemProfilePrivilege	1948	Windows.exe
Token: SeSystemtimePrivilege	1948	Windows.exe
Token: SeProfSingleProcessPrivilege	1948	Windows.exe
Token: SeIncBasePriorityPrivilege	1948	Windows.exe
Token: SeCreatePagefilePrivilege	1948	Windows.exe
Token: SeBackupPrivilege	1948	Windows.exe
Token: SeRestorePrivilege	1948	Windows.exe
Token: SeShutdownPrivilege	1948	Windows.exe
Token: SeDebugPrivilege	1948	Windows.exe
Token: SeSystemEnvironmentPrivilege	1948	Windows.exe
Token: SeChangeNotifyPrivilege	1948	Windows.exe
Token: SeRemoteShutdownPrivilege	1948	Windows.exe
Token: SeUndockPrivilege	1948	Windows.exe
Token: SeManageVolumePrivilege	1948	Windows.exe
Token: SeImpersonatePrivilege	1948	Windows.exe
Token: SeCreateGlobalPrivilege	1948	Windows.exe
Token: 33	1948	Windows.exe
Token: 34	1948	Windows.exe
Token: 35	1948	Windows.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26
PID 1612 wrote to memory of 1948	1612	3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe	26

C:\Users\Admin\AppData\Local\Temp\3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe
"C:\Users\Admin\AppData\Local\Temp\3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\Windows.exe
  C:\Users\Admin\AppData\Local\Temp\Windows.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
712KB

MD5
60535d269d5a2844a0eddfb8f7cb2390

SHA1
dccccfea4db8bc05fa841e0318f02b592c343e9f

SHA256
3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4

SHA512
c983fdb3f1f545699e250ea2fd8e92c51356a5574d26d8d8f7bf7037fb4dbe6f639cf3d1c4194661f3498a7f960f4a2917ef4aefa2bdad63c27ca939b8e75604

Download Submit
\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
712KB

MD5
60535d269d5a2844a0eddfb8f7cb2390

SHA1
dccccfea4db8bc05fa841e0318f02b592c343e9f

SHA256
3cccf9866e3cc9482de110f9b899234c57e87ddd831fdf9f8347019a10cebdb4

SHA512
c983fdb3f1f545699e250ea2fd8e92c51356a5574d26d8d8f7bf7037fb4dbe6f639cf3d1c4194661f3498a7f960f4a2917ef4aefa2bdad63c27ca939b8e75604

Download Submit
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-65-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-57-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1948-60-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1948-62-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1948-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1948-64-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1948-66-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing