darkcomet | 29095ef51d00239aa057d49ff225d51ec328062876cced826014ad6323d0f4b8

Analysis

max time kernel
142s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

831KB
MD5

170cc2d01a0099857621c8109950b0be
SHA1

48bae0b0edb0599f4a27b3a47c94cefa01334193
SHA256

29095ef51d00239aa057d49ff225d51ec328062876cced826014ad6323d0f4b8
SHA512

0b5a0ac0e19a4680ad0dd98d9a9aa27225d34fc98a4c972316a8f43ad068bc8692d5d6b1f1d6be2dff34807a4c3853088fbdb2504798c5e6e4d6d883dffda2dd
SSDEEP

24576:ZZ1xuVVjfFoynPaVBUR8f+kN10EB5J+C4xSKl:DQDgok30S54D

Score

10^/10

darkcomet ±ö¿í16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

±ö¿Í16

107.151.201.137:1604

107.151.201.137:2331

Mutex

DC_MUTEX-5JH1AAN

Attributes

gencode
59l922lsejvY
install
false
offline_keylogger
true
password
43994399
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dgk4220.tmp	acprotect
\Users\Admin\AppData\Local\Temp\dgk4220.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\dgk4220.tmp	acprotect

Loads dropped DLL 2 IoCs

Processes:

tmp.exenotepad.exe

pid process

1556 tmp.exe
1500 notepad.exe

pid	process
1556	tmp.exe
1500	notepad.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

tmp.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1556	tmp.exe
Token: SeSecurityPrivilege	1556	tmp.exe
Token: SeTakeOwnershipPrivilege	1556	tmp.exe
Token: SeLoadDriverPrivilege	1556	tmp.exe
Token: SeSystemProfilePrivilege	1556	tmp.exe
Token: SeSystemtimePrivilege	1556	tmp.exe
Token: SeProfSingleProcessPrivilege	1556	tmp.exe
Token: SeIncBasePriorityPrivilege	1556	tmp.exe
Token: SeCreatePagefilePrivilege	1556	tmp.exe
Token: SeBackupPrivilege	1556	tmp.exe
Token: SeRestorePrivilege	1556	tmp.exe
Token: SeShutdownPrivilege	1556	tmp.exe
Token: SeDebugPrivilege	1556	tmp.exe
Token: SeSystemEnvironmentPrivilege	1556	tmp.exe
Token: SeChangeNotifyPrivilege	1556	tmp.exe
Token: SeRemoteShutdownPrivilege	1556	tmp.exe
Token: SeUndockPrivilege	1556	tmp.exe
Token: SeManageVolumePrivilege	1556	tmp.exe
Token: SeImpersonatePrivilege	1556	tmp.exe
Token: SeCreateGlobalPrivilege	1556	tmp.exe
Token: 33	1556	tmp.exe
Token: 34	1556	tmp.exe
Token: 35	1556	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

1556 tmp.exe

pid	process
1556	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe
PID 1556 wrote to memory of 1500	1556	tmp.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Loads dropped DLL
PID:1500

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dgk4220.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\dgk4220.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\dgk4220.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1500-57-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1500-68-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1556-65-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1556-66-0x0000000001D30000-0x0000000001DA3000-memory.dmp

Filesize
460KB

Download
memory/1556-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1556-97-0x0000000001D30000-0x0000000001DA3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads