darkcomet | 448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7

General

Target

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe
Size

600KB
MD5

5f32b0f8f0d6d524969702481267cb16
SHA1

61619717f178232d276dd5cdd86290aac5ff3cdf
SHA256

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7
SHA512

139ac17118fc7bdf32fa0d41f410faecf113d070db70f5b286551374490ce3ba09b278a05317c7df210eece4eacd6ca6d892ff66c924d0bcecd02d084c8e34d5
SSDEEP

12288:W2Q+/YvU2uVApVQVraqhxJJB8Ly4bBBqoje8ze6k:WuzPYV9l

Score

10^/10

darkcomet iyke logs rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

IYKE LOGS

C2

127.0.0.1:1604

Mutex

DC_MUTEX-U2T3MAJ

Attributes

gencode
vb23itbmycw8
install
false
offline_keylogger
true
password
raz@1234567890
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/304-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-62-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-64-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-66-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-68-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-70-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-71-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-72-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/304-73-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe

description	pid	process	target process
PID 1972 set thread context of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe

pid process

1972 448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe

pid	process
1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe
Token: SeIncreaseQuotaPrivilege	304	AppLaunch.exe
Token: SeSecurityPrivilege	304	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	304	AppLaunch.exe
Token: SeLoadDriverPrivilege	304	AppLaunch.exe
Token: SeSystemProfilePrivilege	304	AppLaunch.exe
Token: SeSystemtimePrivilege	304	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	304	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	304	AppLaunch.exe
Token: SeCreatePagefilePrivilege	304	AppLaunch.exe
Token: SeBackupPrivilege	304	AppLaunch.exe
Token: SeRestorePrivilege	304	AppLaunch.exe
Token: SeShutdownPrivilege	304	AppLaunch.exe
Token: SeDebugPrivilege	304	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	304	AppLaunch.exe
Token: SeChangeNotifyPrivilege	304	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	304	AppLaunch.exe
Token: SeUndockPrivilege	304	AppLaunch.exe
Token: SeManageVolumePrivilege	304	AppLaunch.exe
Token: SeImpersonatePrivilege	304	AppLaunch.exe
Token: SeCreateGlobalPrivilege	304	AppLaunch.exe
Token: 33	304	AppLaunch.exe
Token: 34	304	AppLaunch.exe
Token: 35	304	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

304 AppLaunch.exe

pid	process
304	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe

description	pid	process	target process
PID 1972 wrote to memory of 1592	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1592	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1592	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1592	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1996	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1996	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1996	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 1996	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	CMD.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe
PID 1972 wrote to memory of 304	1972	448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe
"C:\Users\Admin\AppData\Local\Temp\448a19d4eaa753aca293afde7a8acc8024f1dbbb51649f5e85589bb72749c6d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1592

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-73-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-62-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/304-65-0x00000000004B5590-mapping.dmp

Download
memory/304-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1592-57-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1972-56-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1996-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads