darkcomet | 4643fd8421eeea214ea49a05937858d1fda72b9b4141861ab1dd52e83949601b

General

Target

261ad28bb11516f6557316778cbbf8bd.exe
Size

1.4MB
MD5

261ad28bb11516f6557316778cbbf8bd
SHA1

6bf3b451ecb45d758706c1c67a4c9f256f1dee29
SHA256

4643fd8421eeea214ea49a05937858d1fda72b9b4141861ab1dd52e83949601b
SHA512

ddba725d9b3dbcbbf9849eeeabaa516542c0a69fe1bed51fc6708244f93e0c2ec69996780a8a77a9ed5a45aa4b693b52c1f40cade3539b2e0d38d64368897d81
SSDEEP

24576:8thUkbMvMKfXX8mG4M5zvl611+Cq9n9tW00iqbXT3PLleQ8i5fDB0AX/aOugguqe:8Qkb2MY3lMw1+CQ9Oi0XTfLlsiF5Cm

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	261ad28bb11516f6557316778cbbf8bd.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	261ad28bb11516f6557316778cbbf8bd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSecurityPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeTakeOwnershipPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeLoadDriverPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemProfilePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemtimePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeProfSingleProcessPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeIncBasePriorityPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeCreatePagefilePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeBackupPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeRestorePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeShutdownPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeDebugPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeSystemEnvironmentPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeChangeNotifyPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeRemoteShutdownPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeUndockPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeManageVolumePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeImpersonatePrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: SeCreateGlobalPrivilege	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: 33	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: 34	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: 35	5116	261ad28bb11516f6557316778cbbf8bd.exe
Token: 36	5116	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	261ad28bb11516f6557316778cbbf8bd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37
PID 1036 wrote to memory of 5116	1036	261ad28bb11516f6557316778cbbf8bd.exe	37

C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe
"C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe
  "C:\Users\Admin\AppData\Local\Temp\261ad28bb11516f6557316778cbbf8bd.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-15-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1036-5-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1036-6-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1036-8-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1036-9-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1036-12-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1036-16-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1036-20-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1036-22-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1036-11-0x0000000002840000-0x0000000002842000-memory.dmp

Filesize
8KB

Download
memory/1036-13-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1036-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1036-7-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1036-19-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1036-18-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1036-10-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/1036-0-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/5116-14-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-17-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-21-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-23-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-24-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/5116-26-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-28-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-27-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-29-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/5116-31-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-32-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-33-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-39-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-40-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/5116-41-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads