darkcomet | 73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6

General

Target

73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe
Size

839KB
MD5

e42a2e438559313d3220bf5253cffc75
SHA1

128cb5214a6148e66b1a43ca64509fcaf622b2ce
SHA256

73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6
SHA512

5f557f40eda2b756a89d5ed0836da0763ed8d4f7f0a5c475c285cd163267c2cb568d1e22304ee7394767441fb57ab09b330fd7e9560ee8b9c341ee3e7e36112d
SSDEEP

12288:Cw+VcKJDFuYlTjsMd/8D3xTS9CJTYtVSHfnLPAXpsx0GaLc/PdzFFkh+8OD6CZ0:CXDFbsMd/03xTK8TYWHM5sx0Nc/+vPU

Score

10^/10

darkcomet clouds rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Clouds

C2

darkeyebrow.no-ip.org:1604

Mutex

DCMIN_MUTEX-W4XVV25

Attributes

gencode
8jAFNXTeDvnp
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

Processes:

73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe

description	pid	process	target process
PID 1512 set thread context of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe
Token: SeIncreaseQuotaPrivilege	2012	AppLaunch.exe
Token: SeSecurityPrivilege	2012	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2012	AppLaunch.exe
Token: SeLoadDriverPrivilege	2012	AppLaunch.exe
Token: SeSystemProfilePrivilege	2012	AppLaunch.exe
Token: SeSystemtimePrivilege	2012	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2012	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2012	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2012	AppLaunch.exe
Token: SeBackupPrivilege	2012	AppLaunch.exe
Token: SeRestorePrivilege	2012	AppLaunch.exe
Token: SeShutdownPrivilege	2012	AppLaunch.exe
Token: SeDebugPrivilege	2012	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2012	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2012	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2012	AppLaunch.exe
Token: SeUndockPrivilege	2012	AppLaunch.exe
Token: SeManageVolumePrivilege	2012	AppLaunch.exe
Token: SeImpersonatePrivilege	2012	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2012	AppLaunch.exe
Token: 33	2012	AppLaunch.exe
Token: 34	2012	AppLaunch.exe
Token: 35	2012	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

2012 AppLaunch.exe

pid	process
2012	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe

description	pid	process	target process
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe
PID 1512 wrote to memory of 2012	1512	73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe
"C:\Users\Admin\AppData\Local\Temp\73cf89c6f3fb74f1d4307bc43fa5db4ffb5f62da8ec2240e6d8c6d05159156a6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1512-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-74-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-66-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-70-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-59-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-71-0x0000000000490888-mapping.dmp

Download
memory/2012-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2012-78-0x0000000000490000-0x0000000000492000-memory.dmp

Filesize
8KB

Download
memory/2012-79-0x0000000000401000-0x0000000000490000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads