darkcomet | 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba

General

Target

960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe
Size

1.0MB
MD5

c0304b43e6ce77d2f7f9458efe8cf746
SHA1

9e7d5e0f7f55ca1eac754d83b44d061e02605c2f
SHA256

960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba
SHA512

cf74cc38998c297d32d59639edfc61d8028427f7976b30f3a1f92368af1cabf6f72d3be8c982e555e4ffd9faec3e5a689703469a1617a60064b075eef694e814
SSDEEP

12288:maF3jFjW7S2Vt/e6ESi+cEhWKg58FsjGApV2Mnb9TLCmv1GT3eU0LoX5C:/TX6/QecEc5Z6ApV5b9TLCmv1GTecX5C

Score

10^/10

darkcomet rat rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

RAT

C2

ilya69.no-ip.info:1337

Mutex

DCMIN_MUTEX-9HHY8YP

Attributes

gencode
E7oxjPKu4NXN
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe

description pid process target process

PID 872 set thread context of 1900 872 960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe vbc.exe

description	pid	process	target process
PID 872 set thread context of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1900	vbc.exe
Token: SeSecurityPrivilege	1900	vbc.exe
Token: SeTakeOwnershipPrivilege	1900	vbc.exe
Token: SeLoadDriverPrivilege	1900	vbc.exe
Token: SeSystemProfilePrivilege	1900	vbc.exe
Token: SeSystemtimePrivilege	1900	vbc.exe
Token: SeProfSingleProcessPrivilege	1900	vbc.exe
Token: SeIncBasePriorityPrivilege	1900	vbc.exe
Token: SeCreatePagefilePrivilege	1900	vbc.exe
Token: SeBackupPrivilege	1900	vbc.exe
Token: SeRestorePrivilege	1900	vbc.exe
Token: SeShutdownPrivilege	1900	vbc.exe
Token: SeDebugPrivilege	1900	vbc.exe
Token: SeSystemEnvironmentPrivilege	1900	vbc.exe
Token: SeChangeNotifyPrivilege	1900	vbc.exe
Token: SeRemoteShutdownPrivilege	1900	vbc.exe
Token: SeUndockPrivilege	1900	vbc.exe
Token: SeManageVolumePrivilege	1900	vbc.exe
Token: SeImpersonatePrivilege	1900	vbc.exe
Token: SeCreateGlobalPrivilege	1900	vbc.exe
Token: 33	1900	vbc.exe
Token: 34	1900	vbc.exe
Token: 35	1900	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1900 vbc.exe

pid	process
1900	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe

description	pid	process	target process
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe
PID 872 wrote to memory of 1900	872	960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe
"C:\Users\Admin\AppData\Local\Temp\960efb495f646cda153017ba956b4e965b03538e408425c8aaec97279c78c8ba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/872-76-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1900-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-71-0x000000000048F888-mapping.dmp

Download
memory/1900-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1900-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing