darkcomet | c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172

General

Target

c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
Size

709KB
MD5

090430ca723ae6294b2ad8e831c3adb0
SHA1

2c07b235d67f10dc892fc7020846a957a6a421c9
SHA256

c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172
SHA512

b8a9f8f1d1a8fb17df2d885dbb5a6b7fd960d7377a7241ce3153c14d1b7ac5926b6f6662584c31e1cef7c158694ee6f1305a977ece0d5fc4ebc3cd4b4b8a3710
SSDEEP

12288:kxaVAh64U5l4N85pz0ugMX6fOUzKToW3l9KMcaCLH:kxaVxr5CN85pwFMqGuKToC9KMcaCLH

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
844	system.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000013445-55.dat	upx
behavioral1/files/0x000a000000013445-56.dat	upx
behavioral1/files/0x000a000000013445-57.dat	upx
behavioral1/files/0x000a000000013445-59.dat	upx
behavioral1/files/0x000a000000013445-58.dat	upx
behavioral1/files/0x000a000000013445-61.dat	upx
behavioral1/memory/844-68-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	IEXPLORE.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe

Loads dropped DLL 5 IoCs

pid	Process
1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 952	844	system.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	952	IEXPLORE.EXE
Token: SeSecurityPrivilege	952	IEXPLORE.EXE
Token: SeTakeOwnershipPrivilege	952	IEXPLORE.EXE
Token: SeLoadDriverPrivilege	952	IEXPLORE.EXE
Token: SeSystemProfilePrivilege	952	IEXPLORE.EXE
Token: SeSystemtimePrivilege	952	IEXPLORE.EXE
Token: SeProfSingleProcessPrivilege	952	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	952	IEXPLORE.EXE
Token: SeCreatePagefilePrivilege	952	IEXPLORE.EXE
Token: SeBackupPrivilege	952	IEXPLORE.EXE
Token: SeRestorePrivilege	952	IEXPLORE.EXE
Token: SeShutdownPrivilege	952	IEXPLORE.EXE
Token: SeDebugPrivilege	952	IEXPLORE.EXE
Token: SeSystemEnvironmentPrivilege	952	IEXPLORE.EXE
Token: SeChangeNotifyPrivilege	952	IEXPLORE.EXE
Token: SeRemoteShutdownPrivilege	952	IEXPLORE.EXE
Token: SeUndockPrivilege	952	IEXPLORE.EXE
Token: SeManageVolumePrivilege	952	IEXPLORE.EXE
Token: SeImpersonatePrivilege	952	IEXPLORE.EXE
Token: SeCreateGlobalPrivilege	952	IEXPLORE.EXE
Token: 33	952	IEXPLORE.EXE
Token: 34	952	IEXPLORE.EXE
Token: 35	952	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
844	system.exe
1308	AcroRd32.exe
952	IEXPLORE.EXE
1308	AcroRd32.exe
1308	AcroRd32.exe
1308	AcroRd32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 844	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	26
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 1344 wrote to memory of 1308	1344	c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe	27
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28
PID 844 wrote to memory of 952	844	system.exe	28

C:\Users\Admin\AppData\Local\Temp\c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe
"C:\Users\Admin\AppData\Local\Temp\c5b18d377aedacbfa499ebee0a61926359deae05a8e0ed9618e4877939e64172.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:952
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StartMenu.dll

Filesize
243KB

MD5
62b43b5f61612e89651db8b7dd71c66d

SHA1
526a4f3e8acdb579f4ce4a61d3502ea6c83a55e2

SHA256
a8cb3308b874e50fb365425b8c69aa6b312c0c7ce2abaeb69b9150b8c8f177f4

SHA512
76b755706acabc3c47d4fbdb9296fad635b4ddbd2c135b19cd734fe96c47a99f0e5e5934677f4410e2efc71e4c0a654e3589c94e96ca07f04cff59c6336a64fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\اسماء بعض الممولين في سوريا والخارج المطلوبين لدى النظام السوري.pdf

Filesize
120KB

MD5
b91f458a30c2c63979cb68d8fcee37ef

SHA1
2ef065b39e55f61dc462397aa69fa48e69cdbda4

SHA256
23f9ea07c977ac8f6725bb2e0952df2c856282f582d5c9263388600429822817

SHA512
858261660452e0b4fe9b128b4920f2c92bc0c9e0f69321a67d5d118cc255ea11df183af3470886c6bb4b9dc96be9d8a0befa3390d580a6afff151e0a692ee70d

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
8KB

MD5
9144c660f02b40969e2dbdd88dce7c76

SHA1
14cd1973ac8e5eebe1d3d13ec1b5df491c48e6ea

SHA256
0403cdece0180c0a4b6fff43ad48e32d5f602b29c1fa0c5b4952857244f2c164

SHA512
29d59495bad7daa8e5befe643cb55b51da0d67e26c414f56df5e41ef03d687821d189de0277382b69e36a9af780a04dedfb87c6b30c8fdb2802a6b0b39b705d3

Download Submit
memory/844-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1344-69-0x00000000009B0000-0x00000000009B3000-memory.dmp

Filesize
12KB

Download
memory/1344-70-0x00000000023D0000-0x00000000023DB000-memory.dmp

Filesize
44KB

Download
memory/1344-71-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/1344-72-0x00000000023E0000-0x00000000023EB000-memory.dmp

Filesize
44KB

Download
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads