darkcomet | 51ec26d5e74978479605310e9d0d9ae95d8c757815a59414675c1abcfc402731

General

Target

405a7c8ce43495472b9cf657e5e9146d.exe
Size

723KB
MD5

405a7c8ce43495472b9cf657e5e9146d
SHA1

b5a8f51aa534d3810fe703484cc42abd207bebac
SHA256

51ec26d5e74978479605310e9d0d9ae95d8c757815a59414675c1abcfc402731
SHA512

b814debe07c1d6be624d3a46ee29b5cbcc169e18fc360a8b166167eac01c8c0ef83bc004bae04672f03b6a7701dee1f0aa7812ca2bb74117f6b7ce3f88cb6467
SSDEEP

12288:dQagJn/vJWZ0tDFgpM+UPneKm8/C6uwYtU7z3v+Om9MOsLY4Eda7:dSFvJWZuDSm+C2y/PYtF/MOAJZ

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-U4NPZL2

Attributes

gencode
PrbNySYPHXfQ
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeSecurityPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeTakeOwnershipPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeLoadDriverPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeSystemProfilePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeSystemtimePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeProfSingleProcessPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeIncBasePriorityPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeCreatePagefilePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeBackupPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeRestorePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeShutdownPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeDebugPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeSystemEnvironmentPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeChangeNotifyPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeRemoteShutdownPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeUndockPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeManageVolumePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeImpersonatePrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: SeCreateGlobalPrivilege	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: 33	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: 34	2992	405a7c8ce43495472b9cf657e5e9146d.exe
Token: 35	2992	405a7c8ce43495472b9cf657e5e9146d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1792	405a7c8ce43495472b9cf657e5e9146d.exe
2992	405a7c8ce43495472b9cf657e5e9146d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28
PID 1792 wrote to memory of 2992	1792	405a7c8ce43495472b9cf657e5e9146d.exe	28

C:\Users\Admin\AppData\Local\Temp\405a7c8ce43495472b9cf657e5e9146d.exe
"C:\Users\Admin\AppData\Local\Temp\405a7c8ce43495472b9cf657e5e9146d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\405a7c8ce43495472b9cf657e5e9146d.exe
  "C:\Users\Admin\AppData\Local\Temp\405a7c8ce43495472b9cf657e5e9146d.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-3-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2992-5-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-4-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-7-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-8-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-11-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2992-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing