darkcomet | 3d1795472ee03c13edec697f27b8dc5d68debc1e54233051fa26bd113d92b1f1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 22:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c8ee98a43d1c26907a933036d28fd4c.exe
Size

912KB
MD5

4c8ee98a43d1c26907a933036d28fd4c
SHA1

d9ab020877222765abf9d3ba764fd407734157b1
SHA256

3d1795472ee03c13edec697f27b8dc5d68debc1e54233051fa26bd113d92b1f1
SHA512

ae7e631558c7022575650fe0b1e8fbc10437d2406d398493114284b33758345e956bd70452ede35f0f9d0f61299d4eb799bd49d57a370c640b73329d4a2349f0
SSDEEP

12288:48UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/g3KlKebJS6+0mP:RUKoN0bUxgGa/pfBHDb+y1Hg3hF6W

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeSecurityPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeTakeOwnershipPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeLoadDriverPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeSystemProfilePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeSystemtimePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeProfSingleProcessPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeIncBasePriorityPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeCreatePagefilePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeBackupPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeRestorePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeShutdownPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeDebugPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeSystemEnvironmentPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeChangeNotifyPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeRemoteShutdownPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeUndockPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeManageVolumePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeImpersonatePrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeCreateGlobalPrivilege	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: 33	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: 34	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: 35	2516	4c8ee98a43d1c26907a933036d28fd4c.exe
Token: SeIncreaseQuotaPrivilege	1704	iexplore.exe
Token: SeSecurityPrivilege	1704	iexplore.exe
Token: SeTakeOwnershipPrivilege	1704	iexplore.exe
Token: SeLoadDriverPrivilege	1704	iexplore.exe
Token: SeSystemProfilePrivilege	1704	iexplore.exe
Token: SeSystemtimePrivilege	1704	iexplore.exe
Token: SeProfSingleProcessPrivilege	1704	iexplore.exe
Token: SeIncBasePriorityPrivilege	1704	iexplore.exe
Token: SeCreatePagefilePrivilege	1704	iexplore.exe
Token: SeBackupPrivilege	1704	iexplore.exe
Token: SeRestorePrivilege	1704	iexplore.exe
Token: SeShutdownPrivilege	1704	iexplore.exe
Token: SeDebugPrivilege	1704	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1704	iexplore.exe
Token: SeChangeNotifyPrivilege	1704	iexplore.exe
Token: SeRemoteShutdownPrivilege	1704	iexplore.exe
Token: SeUndockPrivilege	1704	iexplore.exe
Token: SeManageVolumePrivilege	1704	iexplore.exe
Token: SeImpersonatePrivilege	1704	iexplore.exe
Token: SeCreateGlobalPrivilege	1704	iexplore.exe
Token: 33	1704	iexplore.exe
Token: 34	1704	iexplore.exe
Token: 35	1704	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28
PID 2516 wrote to memory of 1704	2516	4c8ee98a43d1c26907a933036d28fd4c.exe	28

C:\Users\Admin\AppData\Local\Temp\4c8ee98a43d1c26907a933036d28fd4c.exe
"C:\Users\Admin\AppData\Local\Temp\4c8ee98a43d1c26907a933036d28fd4c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

DNS

sajoode.no-ip.biz

iexplore.exe

Remote address:

8.8.8.8:53

Request

sajoode.no-ip.biz

IN A

Response

No results found

8.8.8.8:53

sajoode.no-ip.biz

dns

iexplore.exe

63 B
123 B
1
1

DNS Request

sajoode.no-ip.biz

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-2-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2516-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2516-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2516-3-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download