darkcomet | 9ca28c0595840badf0a13f573372e23594a5dc4ee67b6b82118f4a156dda4ecf

Analysis

max time kernel
207s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

387ca2bd5b2504b0715aa8dce5119c61.exe
Size

646KB
MD5

387ca2bd5b2504b0715aa8dce5119c61
SHA1

75a5136cd45472d67b24b7181469629ffb1114eb
SHA256

9ca28c0595840badf0a13f573372e23594a5dc4ee67b6b82118f4a156dda4ecf
SHA512

40104190ab2d28e6c8fea5137de353086bb1f10361d6253609ab4908be2f89ffaac2aa414fbb2ef2435f8baae08d236528bf35db9a9ca729ad3ec31543f9e4a3
SSDEEP

12288:w8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixl:pUKoN0bUxgGa/pfBHDb+y1HgZ3

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeSecurityPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeTakeOwnershipPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeLoadDriverPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeSystemProfilePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeSystemtimePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeProfSingleProcessPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeIncBasePriorityPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeCreatePagefilePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeBackupPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeRestorePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeShutdownPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeDebugPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeSystemEnvironmentPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeChangeNotifyPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeRemoteShutdownPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeUndockPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeManageVolumePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeImpersonatePrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeCreateGlobalPrivilege	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: 33	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: 34	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: 35	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: 36	1628	387ca2bd5b2504b0715aa8dce5119c61.exe
Token: SeIncreaseQuotaPrivilege	4832	iexplore.exe
Token: SeSecurityPrivilege	4832	iexplore.exe
Token: SeTakeOwnershipPrivilege	4832	iexplore.exe
Token: SeLoadDriverPrivilege	4832	iexplore.exe
Token: SeSystemProfilePrivilege	4832	iexplore.exe
Token: SeSystemtimePrivilege	4832	iexplore.exe
Token: SeProfSingleProcessPrivilege	4832	iexplore.exe
Token: SeIncBasePriorityPrivilege	4832	iexplore.exe
Token: SeCreatePagefilePrivilege	4832	iexplore.exe
Token: SeBackupPrivilege	4832	iexplore.exe
Token: SeRestorePrivilege	4832	iexplore.exe
Token: SeShutdownPrivilege	4832	iexplore.exe
Token: SeDebugPrivilege	4832	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4832	iexplore.exe
Token: SeChangeNotifyPrivilege	4832	iexplore.exe
Token: SeRemoteShutdownPrivilege	4832	iexplore.exe
Token: SeUndockPrivilege	4832	iexplore.exe
Token: SeManageVolumePrivilege	4832	iexplore.exe
Token: SeImpersonatePrivilege	4832	iexplore.exe
Token: SeCreateGlobalPrivilege	4832	iexplore.exe
Token: 33	4832	iexplore.exe
Token: 34	4832	iexplore.exe
Token: 35	4832	iexplore.exe
Token: 36	4832	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90
PID 1628 wrote to memory of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90
PID 1628 wrote to memory of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90
PID 1628 wrote to memory of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90
PID 1628 wrote to memory of 4832	1628	387ca2bd5b2504b0715aa8dce5119c61.exe	90

C:\Users\Admin\AppData\Local\Temp\387ca2bd5b2504b0715aa8dce5119c61.exe
"C:\Users\Admin\AppData\Local\Temp\387ca2bd5b2504b0715aa8dce5119c61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-0-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1628-2-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4832-1-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads