darkcomet | 29095ef51d00239aa057d49ff225d51ec328062876cced826014ad6323d0f4b8

General

Target

tmp.exe
Size

831KB
MD5

170cc2d01a0099857621c8109950b0be
SHA1

48bae0b0edb0599f4a27b3a47c94cefa01334193
SHA256

29095ef51d00239aa057d49ff225d51ec328062876cced826014ad6323d0f4b8
SHA512

0b5a0ac0e19a4680ad0dd98d9a9aa27225d34fc98a4c972316a8f43ad068bc8692d5d6b1f1d6be2dff34807a4c3853088fbdb2504798c5e6e4d6d883dffda2dd
SSDEEP

24576:ZZ1xuVVjfFoynPaVBUR8f+kN10EB5J+C4xSKl:DQDgok30S54D

Score

10^/10

darkcomet ±ö¿í16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

±ö¿Í16

C2

107.151.201.137:1604

107.151.201.137:2331

Mutex

DC_MUTEX-5JH1AAN

Attributes

gencode
59l922lsejvY
install
false
offline_keylogger
true
password
43994399
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp	acprotect

Loads dropped DLL 4 IoCs

Processes:

tmp.exenotepad.exe

pid process

3276 tmp.exe
3276 tmp.exe
3848 notepad.exe
3848 notepad.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3276	tmp.exe
3276	tmp.exe
3848	notepad.exe
3848	notepad.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

tmp.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3276	tmp.exe
Token: SeSecurityPrivilege	3276	tmp.exe
Token: SeTakeOwnershipPrivilege	3276	tmp.exe
Token: SeLoadDriverPrivilege	3276	tmp.exe
Token: SeSystemProfilePrivilege	3276	tmp.exe
Token: SeSystemtimePrivilege	3276	tmp.exe
Token: SeProfSingleProcessPrivilege	3276	tmp.exe
Token: SeIncBasePriorityPrivilege	3276	tmp.exe
Token: SeCreatePagefilePrivilege	3276	tmp.exe
Token: SeBackupPrivilege	3276	tmp.exe
Token: SeRestorePrivilege	3276	tmp.exe
Token: SeShutdownPrivilege	3276	tmp.exe
Token: SeDebugPrivilege	3276	tmp.exe
Token: SeSystemEnvironmentPrivilege	3276	tmp.exe
Token: SeChangeNotifyPrivilege	3276	tmp.exe
Token: SeRemoteShutdownPrivilege	3276	tmp.exe
Token: SeUndockPrivilege	3276	tmp.exe
Token: SeManageVolumePrivilege	3276	tmp.exe
Token: SeImpersonatePrivilege	3276	tmp.exe
Token: SeCreateGlobalPrivilege	3276	tmp.exe
Token: 33	3276	tmp.exe
Token: 34	3276	tmp.exe
Token: 35	3276	tmp.exe
Token: 36	3276	tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

3276 tmp.exe
3276 tmp.exe

pid	process
3276	tmp.exe
3276	tmp.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe
PID 3276 wrote to memory of 3848	3276	tmp.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Loads dropped DLL
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dviD323.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dviD323.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/3276-140-0x0000000002210000-0x0000000002283000-memory.dmp

Filesize
460KB

Download
memory/3276-141-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3276-133-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3276-147-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3276-148-0x0000000002210000-0x0000000002283000-memory.dmp

Filesize
460KB

Download
memory/3848-142-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3848-146-0x0000000000EE0000-0x0000000000F53000-memory.dmp

Filesize
460KB

Download
memory/3848-185-0x0000000000EE0000-0x0000000000F53000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads