darkcomet | 4764430a1dcd759ca63408103232d28a82c2e1ae3c1cc29a536fecdee9171fb3

General

Target

53f9da2780b6f5a90cfa960a7ba80eef.exe
Size

1.3MB
MD5

53f9da2780b6f5a90cfa960a7ba80eef
SHA1

797377e262f78ebcbb50203a286fdcbc76b45e81
SHA256

4764430a1dcd759ca63408103232d28a82c2e1ae3c1cc29a536fecdee9171fb3
SHA512

bced0651108eecdad60f6b9291e065877f9b7b43ae5edbf659d6028c192de918f11e8d6019cc5e287f9036f33825c52f5b34fce58d4d76f02c834aa16dfdaa41
SSDEEP

24576:Vt3Neacap5W/4UHRY2FhJvQywVLjaGVOUN6nyhkHgKU6Y:VtUaAwls+9j4HgK

Score

10^/10

darkcomet slave evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

slave

C2

ratting.no-ip.org:1605

Mutex

DC_MUTEX-Q21PSYS

Attributes

gencode
3xN2KEijP0Bj
install
false
offline_keylogger
true
password
darkcomet
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3832 attrib.exe
4252 attrib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4252 attrib.exe
3832 attrib.exe

pid	process
3832	attrib.exe
4252	attrib.exe

pid	process
4252	attrib.exe
3832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe
"C:\Users\Admin\AppData\Local\Temp\53f9da2780b6f5a90cfa960a7ba80eef.exe"
1⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
2⤵
PID:5100

C:\Windows\SysWOW64\taskmgr.exe
taskmgr.exe
2⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
1⤵
PID:3236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3832

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Crypted.exe" +s +h
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
Filesize
649KB

MD5
c0cebd70cd9ab9af0582764101331351

SHA1
2e1308817abe1151fd63622b2316491e4a25de8e

SHA256
84fd686a3ee7c0326ab6058bb49667c18250660a79c3f710730f8ef941028f92

SHA512
89bed80bedc435e7b7c7a25ab6c4d2dff81d18c1fe550bd9ce3f8b21d5441ca7e764b23108979f3cec0fe7528ce163d8c6aeab61719aba690b9630883af765d6

Download Submit
memory/1688-18-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1688-1-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1688-0-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1688-35-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/1688-2-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/1688-16-0x0000000074950000-0x0000000074F01000-memory.dmp

Filesize
5.7MB

Download
memory/1688-19-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/4372-26-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-21-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-27-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-32-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-31-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-30-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-29-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-28-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-20-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4372-22-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/5100-34-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-38-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-33-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-14-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/5100-36-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-37-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-39-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-41-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-42-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-43-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-44-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-45-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/5100-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing