darkcomet | a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 20:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe
Size

1.9MB
MD5

c3ca6491e9f241573ba01a073939703a
SHA1

29669a848b04b3a7faa09bbf3047df0e73121fd6
SHA256

a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625
SHA512

ffb9bf92d06c7a17671e461a13972a45e6cc8ab0c0199691f02f12b662cb1ae141ebca9047a98f2efbd585cc4e2149bd1d973ae13cd1af11b89587931e395c5d
SSDEEP

12288:35aqIbcW23TOLBlucS5nuISmFU7yYitKG6pydB4FOyD2wWT1tII0TzwfG1ydf6qS:QqcILKG6nGFm2WM4a0h

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	3768	WerFault.exe	82

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82
PID 2148 wrote to memory of 3768	2148	a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe	82

C:\Users\Admin\AppData\Local\Temp\a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe
"C:\Users\Admin\AppData\Local\Temp\a5d6ff5bbbc5b350b938c7b2e09763b0935f00d41c01cc737b46bdd930f11625.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 12
    3⤵
    - Program crash
    PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3768 -ip 3768
1⤵
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-134-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2148-135-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/3768-133-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download