darkcomet | 98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd

General

Target

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
Size

2.2MB
MD5

39d4cbc86f45b0efedc6f01881412e73
SHA1

a8d339b3f8d798160f71ee88e36b2a6efa76dded
SHA256

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd
SHA512

333711526622d8e5f02c95a8587bd29e4900757566d9f040ec5f14292640a0c6edead0e933d42ced60c7f0b1ae131cecb06ac206d29d52f4983e40ebecf3b5ce
SSDEEP

49152:N1vqjd/QNzVG3W34pd9S7TWFrSLRRJN3TCt/RsbMBBdtt:N1vqjV344zeK5SLhRTCtkM5

Score

10^/10

darkcomet teste rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

teste

C2

hack256.no-ip.biz:1604

Mutex

DC_MUTEX-CT50HLM

Attributes

gencode
U7iklaRPqE51
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

NOVOSERVIDORFUNCIONANDO.EXE

pid process

916 NOVOSERVIDORFUNCIONANDO.EXE

pid	process
916	NOVOSERVIDORFUNCIONANDO.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

description	pid	process	target process
PID 3404 set thread context of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

NOVOSERVIDORFUNCIONANDO.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeSecurityPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeTakeOwnershipPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeLoadDriverPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeSystemProfilePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeSystemtimePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeProfSingleProcessPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeIncBasePriorityPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeCreatePagefilePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeBackupPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeRestorePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeShutdownPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeDebugPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeSystemEnvironmentPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeChangeNotifyPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeRemoteShutdownPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeUndockPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeManageVolumePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeImpersonatePrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: SeCreateGlobalPrivilege	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: 33	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: 34	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: 35	916	NOVOSERVIDORFUNCIONANDO.EXE
Token: 36	916	NOVOSERVIDORFUNCIONANDO.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

pid	process
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

pid	process
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NOVOSERVIDORFUNCIONANDO.EXE

pid process

916 NOVOSERVIDORFUNCIONANDO.EXE

pid	process
916	NOVOSERVIDORFUNCIONANDO.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe

description	pid	process	target process
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 3404 wrote to memory of 4092	3404	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
PID 4092 wrote to memory of 916	4092	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	NOVOSERVIDORFUNCIONANDO.EXE
PID 4092 wrote to memory of 916	4092	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	NOVOSERVIDORFUNCIONANDO.EXE
PID 4092 wrote to memory of 916	4092	98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe	NOVOSERVIDORFUNCIONANDO.EXE

C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
"C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe
"C:\Users\Admin\AppData\Local\Temp\98220537abdcac01164bca5bbfaaf666a4a6e2b6b1c800f4e0c7dcafebf480bd.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE
"C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE
Filesize
660KB

MD5
c5550cb60687459f2232cc395c8769ff

SHA1
7f4199e40ec42b01a937039bfe06237d6f41212a

SHA256
a94cb8f4c4d61331554dcd3dafc17c07404f1a1a41f127168efd22dcd8b6ce8d

SHA512
06c25796d771be8e48296fea9f7bef5c69e10c1a2ee5cf21f40fbfcaf498cae2081ff9930e84e02252dc8bf7d17505b8f2092211d8556197c232436f8652f7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOVOSERVIDORFUNCIONANDO.EXE
Filesize
660KB

MD5
c5550cb60687459f2232cc395c8769ff

SHA1
7f4199e40ec42b01a937039bfe06237d6f41212a

SHA256
a94cb8f4c4d61331554dcd3dafc17c07404f1a1a41f127168efd22dcd8b6ce8d

SHA512
06c25796d771be8e48296fea9f7bef5c69e10c1a2ee5cf21f40fbfcaf498cae2081ff9930e84e02252dc8bf7d17505b8f2092211d8556197c232436f8652f7b8

Download Submit
memory/916-137-0x0000000000000000-mapping.dmp

Download
memory/4092-132-0x0000000000000000-mapping.dmp

Download
memory/4092-133-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4092-134-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4092-135-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4092-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4092-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads