darkcomet | a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33

Analysis

max time kernel
151s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Size

235KB
MD5

074c73a7fe39efe406df9a7b3e979b77
SHA1

ddeeaced11efb943b2ca9e37e3d4f4c9dbf06438
SHA256

a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33
SHA512

2681782c9a10edc45c1df37396e52a6d78876bc522c0d0d3fcdb3e18d739a5d8f764c1d1894e1617a118c6158eb625ab210e95b506ac6f7c572bafe3a2c26cb0
SSDEEP

3072:EY/ygXnCQUYy9yxhjrSsplyU5iHquGbT47mJaCki/q/7NRgOYromMD8goZ9yz28S:EYLtU7Ixhnhz5TN6mJWd/7qMD8gmggf

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

marocainhakers.no-ip.biz:1604

Mutex

DC_MUTEX-FYHR6EK

Attributes

gencode
TKuFXmZ5e3L1
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeSecurityPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeTakeOwnershipPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeLoadDriverPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeSystemProfilePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeSystemtimePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeProfSingleProcessPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeIncBasePriorityPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeCreatePagefilePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeBackupPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeRestorePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeShutdownPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeDebugPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeSystemEnvironmentPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeChangeNotifyPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeRemoteShutdownPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeUndockPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeManageVolumePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeImpersonatePrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: SeCreateGlobalPrivilege	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: 33	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: 34	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
Token: 35	1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1880	a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe

C:\Users\Admin\AppData\Local\Temp\a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe
"C:\Users\Admin\AppData\Local\Temp\a9847a156c916e46e43c917619572aaa5b448c28072e3674cbfc4efbdabfab33.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1880-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download