darkcomet | 34a7e2ae2fcc13123fc013b7848c4832879cc4095dd1a9abd4b51e7e4181d97c

General

Target

5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Size

6.9MB
MD5

5cc7988d8c232b5cf79f18a102783dc0
SHA1

4885b54a9d4cb1ded609b2f08e7a04c93e515eba
SHA256

34a7e2ae2fcc13123fc013b7848c4832879cc4095dd1a9abd4b51e7e4181d97c
SHA512

667c13613502dcea3b1706b6cb06f5c91196bb830734bdce3f25628820e95f5424200dd47cf94938b6fca3c584b35ad27f391d7d23ac921ef388c60a692a7c65
SSDEEP

6144:6t2Ic0GfHIUWA0rJ5b7gvq5eyzaM+zN00qFTaUfwUY2z9GAR2OWq7me:6t24G8fQtk+B00ODfXZGGWwme

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.56.1:1604

Mutex

DC_MUTEX-AZQPD9H

Attributes

gencode
MRV9Pgf6cfGj
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2436	StubSoftware.exe
2604	aha.exe

Loads dropped DLL 2 IoCs

pid	Process
2436	StubSoftware.exe
2436	StubSoftware.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016c2b-15.dat	upx
behavioral1/files/0x0009000000016c2b-19.dat	upx
behavioral1/files/0x0009000000016c2b-17.dat	upx
behavioral1/memory/2604-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x0009000000016c2b-23.dat	upx
behavioral1/files/0x0009000000016c2b-29.dat	upx
behavioral1/memory/2604-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2604-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2604-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2724	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
Token: SeDebugPrivilege	2436	StubSoftware.exe
Token: SeIncreaseQuotaPrivilege	2604	aha.exe
Token: SeSecurityPrivilege	2604	aha.exe
Token: SeTakeOwnershipPrivilege	2604	aha.exe
Token: SeLoadDriverPrivilege	2604	aha.exe
Token: SeSystemProfilePrivilege	2604	aha.exe
Token: SeSystemtimePrivilege	2604	aha.exe
Token: SeProfSingleProcessPrivilege	2604	aha.exe
Token: SeIncBasePriorityPrivilege	2604	aha.exe
Token: SeCreatePagefilePrivilege	2604	aha.exe
Token: SeBackupPrivilege	2604	aha.exe
Token: SeRestorePrivilege	2604	aha.exe
Token: SeShutdownPrivilege	2604	aha.exe
Token: SeDebugPrivilege	2604	aha.exe
Token: SeSystemEnvironmentPrivilege	2604	aha.exe
Token: SeChangeNotifyPrivilege	2604	aha.exe
Token: SeRemoteShutdownPrivilege	2604	aha.exe
Token: SeUndockPrivilege	2604	aha.exe
Token: SeManageVolumePrivilege	2604	aha.exe
Token: SeImpersonatePrivilege	2604	aha.exe
Token: SeCreateGlobalPrivilege	2604	aha.exe
Token: 33	2604	aha.exe
Token: 34	2604	aha.exe
Token: 35	2604	aha.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2604	aha.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2436	1188	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	28
PID 1188 wrote to memory of 2436	1188	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	28
PID 1188 wrote to memory of 2436	1188	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	28
PID 1188 wrote to memory of 2436	1188	5cc7988d8c232b5cf79f18a102783dc0_exe32.exe	28
PID 2436 wrote to memory of 2604	2436	StubSoftware.exe	29
PID 2436 wrote to memory of 2604	2436	StubSoftware.exe	29
PID 2436 wrote to memory of 2604	2436	StubSoftware.exe	29
PID 2436 wrote to memory of 2604	2436	StubSoftware.exe	29
PID 2436 wrote to memory of 2724	2436	StubSoftware.exe	30
PID 2436 wrote to memory of 2724	2436	StubSoftware.exe	30
PID 2436 wrote to memory of 2724	2436	StubSoftware.exe	30
PID 2436 wrote to memory of 2724	2436	StubSoftware.exe	30

C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\5cc7988d8c232b5cf79f18a102783dc0_exe32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe
  "C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\aha.exe
    "C:\Users\Admin\AppData\Local\Temp\aha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\benikoy.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
344KB

MD5
1eddb798932c03c648f979280f1eaef0

SHA1
33aa6a523e7dcf606904da08fa05be7a124d1b63

SHA256
e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0

SHA512
047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\StubSoftware.exe

Filesize
344KB

MD5
1eddb798932c03c648f979280f1eaef0

SHA1
33aa6a523e7dcf606904da08fa05be7a124d1b63

SHA256
e90a4265d7d5d8c487943578b6e3ee32cf24e0aad1c08e7a5493bc04f1fb45b0

SHA512
047e7115bc44b9b326b4f5aad88ab020025bfc5c13c937ba943fb166cb5c4fb544319787436d0df80a76616853b856fc1942a3dd96f94f32a2f447370d19e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\benikoy.txt

Filesize
41B

MD5
fd7e8e2625a01067bda87e6d8ca5925a

SHA1
9758ba9764e2f2383a5a5d83eae5e7c56ac6d14d

SHA256
74169b65c8bcb49612b2473f1be2547ac7b6e6e4cd515850f3010a191a96e466

SHA512
40edde31b10e33d41c035998d4169eedbbc1711fca6a5a30a9676ddb756fce5ced7879ee3e91dd0d27c38402d45d8777199d1b8a8495c969d1af9277bc97a0f3

Download Submit
\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
\Users\Admin\AppData\Local\Temp\aha.exe

Filesize
251KB

MD5
c2686a32d56b8cd68232cbcdcacb80dd

SHA1
075163408035986a03f81b0e355d39f2af516749

SHA256
4986b828079a0bda3cec1abecf91786d1b9c43ad8712c6784a517c10e6d5256a

SHA512
e1be8a7f99c6e745462e3e01d1e5a3dc8581c08fda58d37e620abfd1817812134d59d557ee5ec52cef34823135e29831d165bc6f40bf2a03bfa79cbf891a3b77

Download Submit
memory/1188-1-0x0000000000B10000-0x0000000000B6E000-memory.dmp

Filesize
376KB

Download
memory/1188-2-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/1188-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1188-0-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/2436-10-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download
memory/2436-24-0x0000000005400000-0x00000000054B7000-memory.dmp

Filesize
732KB

Download
memory/2436-22-0x0000000005400000-0x00000000054B7000-memory.dmp

Filesize
732KB

Download
memory/2436-26-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-12-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/2436-11-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2604-27-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2604-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2604-32-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2604-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2604-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing