darkcomet | 5ca54747c0b1ce3c39044d66853d0075ce97f5e8be2a330d6be4ebd7e35b5e81

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5986d57702bc2c6ffeef297b708c74d8.exe
Size

722KB
MD5

5986d57702bc2c6ffeef297b708c74d8
SHA1

c2dabd2310f2b057b5b9cbb37ea0af10e13abbf9
SHA256

5ca54747c0b1ce3c39044d66853d0075ce97f5e8be2a330d6be4ebd7e35b5e81
SHA512

f948d51bb5f51db6276e2344622867b9a2a595fd38109b86da9ed525751cecec30c025fa3b7f7e1b9af79e97a369f4daf3bc4d6be3bc47aa7ceee7b88cfedb48
SSDEEP

12288:EFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0c/qd:U3nbWmJVJFwSddIXvfhqbiaxvRFqd

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeSecurityPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeTakeOwnershipPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeLoadDriverPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeSystemProfilePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeSystemtimePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeProfSingleProcessPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeIncBasePriorityPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeCreatePagefilePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeBackupPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeRestorePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeShutdownPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeDebugPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeSystemEnvironmentPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeChangeNotifyPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeRemoteShutdownPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeUndockPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeManageVolumePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeImpersonatePrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeCreateGlobalPrivilege	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: 33	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: 34	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: 35	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: 36	1400	5986d57702bc2c6ffeef297b708c74d8.exe
Token: SeIncreaseQuotaPrivilege	1776	iexplore.exe
Token: SeSecurityPrivilege	1776	iexplore.exe
Token: SeTakeOwnershipPrivilege	1776	iexplore.exe
Token: SeLoadDriverPrivilege	1776	iexplore.exe
Token: SeSystemProfilePrivilege	1776	iexplore.exe
Token: SeSystemtimePrivilege	1776	iexplore.exe
Token: SeProfSingleProcessPrivilege	1776	iexplore.exe
Token: SeIncBasePriorityPrivilege	1776	iexplore.exe
Token: SeCreatePagefilePrivilege	1776	iexplore.exe
Token: SeBackupPrivilege	1776	iexplore.exe
Token: SeRestorePrivilege	1776	iexplore.exe
Token: SeShutdownPrivilege	1776	iexplore.exe
Token: SeDebugPrivilege	1776	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1776	iexplore.exe
Token: SeChangeNotifyPrivilege	1776	iexplore.exe
Token: SeRemoteShutdownPrivilege	1776	iexplore.exe
Token: SeUndockPrivilege	1776	iexplore.exe
Token: SeManageVolumePrivilege	1776	iexplore.exe
Token: SeImpersonatePrivilege	1776	iexplore.exe
Token: SeCreateGlobalPrivilege	1776	iexplore.exe
Token: 33	1776	iexplore.exe
Token: 34	1776	iexplore.exe
Token: 35	1776	iexplore.exe
Token: 36	1776	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23
PID 1400 wrote to memory of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23
PID 1400 wrote to memory of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23
PID 1400 wrote to memory of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23
PID 1400 wrote to memory of 1776	1400	5986d57702bc2c6ffeef297b708c74d8.exe	23

C:\Users\Admin\AppData\Local\Temp\5986d57702bc2c6ffeef297b708c74d8.exe
"C:\Users\Admin\AppData\Local\Temp\5986d57702bc2c6ffeef297b708c74d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-0-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1400-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1776-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads