darkcomet | 4643fd8421eeea214ea49a05937858d1fda72b9b4141861ab1dd52e83949601b

General

Target

261ad28bb11516f6557316778cbbf8bd.exe
Size

1.4MB
MD5

261ad28bb11516f6557316778cbbf8bd
SHA1

6bf3b451ecb45d758706c1c67a4c9f256f1dee29
SHA256

4643fd8421eeea214ea49a05937858d1fda72b9b4141861ab1dd52e83949601b
SHA512

ddba725d9b3dbcbbf9849eeeabaa516542c0a69fe1bed51fc6708244f93e0c2ec69996780a8a77a9ed5a45aa4b693b52c1f40cade3539b2e0d38d64368897d81
SSDEEP

24576:8thUkbMvMKfXX8mG4M5zvl611+Cq9n9tW00iqbXT3PLleQ8i5fDB0AX/aOugguqe:8Qkb2MY3lMw1+CQ9Oi0XTfLlsiF5Cm

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	261ad28bb11516f6557316778cbbf8bd.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	261ad28bb11516f6557316778cbbf8bd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	261ad28bb11516f6557316778cbbf8bd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSecurityPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeTakeOwnershipPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeLoadDriverPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemProfilePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemtimePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeProfSingleProcessPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeIncBasePriorityPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeCreatePagefilePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeBackupPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeRestorePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeShutdownPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeDebugPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemEnvironmentPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeChangeNotifyPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeRemoteShutdownPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeUndockPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeManageVolumePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeImpersonatePrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeCreateGlobalPrivilege	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: 33	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: 34	2088	261ad28bb11516f6557316778cbbf8bd.exe
Token: 35	2088	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1380	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28
PID 1380 wrote to memory of 2088	1380	261ad28bb11516f6557316778cbbf8bd.exe	28

C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe
"C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe
  "C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-14-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1380-21-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1380-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1380-5-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1380-6-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1380-8-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1380-7-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1380-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1380-10-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1380-11-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1380-12-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1380-17-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1380-2-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1380-15-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1380-13-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1380-16-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/1380-19-0x0000000002D80000-0x0000000002F38000-memory.dmp

Filesize
1.7MB

Download
memory/1380-0-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2088-18-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-20-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-22-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2088-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-26-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2088-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2088-29-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads