darkcomet | 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66

General

Target

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Size

967KB
MD5

245d2cec5bb0f3cb375028c72ef684f0
SHA1

e4030d976f994697dd482fdae62258b55b0c3eed
SHA256

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66
SHA512

59658b4db272d15b4680f6546168f72ea34c7125e45fa91b0694443cb020f1fe2fb92e88e01ca545cc2ccb1420aa208fee4019436a3c9c0947a04a8465e04a59
SSDEEP

24576:gRmJkcoQricOIQxiZY1iavReA7pZk0/arYy:VJZoQrbTFZY1iavRtpTcYy

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:321

Mutex

DC_MUTEX-R0X7EMW

Attributes

gencode
8wq0x7iUlHMN
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3140-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3140-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3140-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3140-141-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3140-143-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3140-144-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process	target process
PID 2268 set thread context of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 set thread context of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSecurityPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeTakeOwnershipPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeLoadDriverPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemProfilePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemtimePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeProfSingleProcessPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeIncBasePriorityPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeCreatePagefilePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeBackupPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeRestorePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeShutdownPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeDebugPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemEnvironmentPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeChangeNotifyPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeRemoteShutdownPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeUndockPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeManageVolumePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeImpersonatePrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeCreateGlobalPrivilege	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 33	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 34	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 35	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 36	3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

pid	process
5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
3140	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process	target process
PID 2268 wrote to memory of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2268 wrote to memory of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2268 wrote to memory of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2268 wrote to memory of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2268 wrote to memory of 5076	2268	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 5076 wrote to memory of 3140	5076	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-137-0x0000000000000000-mapping.dmp

Download
memory/3140-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3140-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3140-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3140-141-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3140-143-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3140-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5076-132-0x0000000000000000-mapping.dmp

Download
memory/5076-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/5076-142-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads