darkcomet | 6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56

General

Target

c52d6bfcb18b48ce0976886fc1c60967.exe
Size

930KB
MD5

c52d6bfcb18b48ce0976886fc1c60967
SHA1

da6575713f50dae6e3ea4fac5aaf0d983c351171
SHA256

6dbc41a48a41c991800d78eb2bd7231512830620880febda4a17e75c4f438a56
SHA512

dc764e1d42bf9a74b5ac14be8ba01c1dfcf013456b2d403bf0e3616a440a5f124fde0909f207eeb02de3ebdad5e65425fb7f86ac204c6e3090ceb8973a19e0e0
SSDEEP

24576:KZ1xuVVjfFoynPaVBUR8f+kN10EBxYAGrW:aQDgok30bAz

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jesusiscool.no-ip.biz:1604

Mutex

DC_MUTEX-2MFKDUD

Attributes

gencode
hR4kwDNMtXyi
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

BIT.EXE

pid process

2824 BIT.EXE
Loads dropped DLL 2 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exe

pid process

2940 c52d6bfcb18b48ce0976886fc1c60967.exe
2940 c52d6bfcb18b48ce0976886fc1c60967.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2824	BIT.EXE

pid	process
2940	c52d6bfcb18b48ce0976886fc1c60967.exe
2940	c52d6bfcb18b48ce0976886fc1c60967.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSecurityPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeTakeOwnershipPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeLoadDriverPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemProfilePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemtimePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeProfSingleProcessPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeIncBasePriorityPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreatePagefilePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeBackupPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRestorePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeShutdownPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeDebugPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeSystemEnvironmentPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeChangeNotifyPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeRemoteShutdownPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeUndockPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeManageVolumePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeImpersonatePrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: SeCreateGlobalPrivilege	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 33	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 34	2940	c52d6bfcb18b48ce0976886fc1c60967.exe
Token: 35	2940	c52d6bfcb18b48ce0976886fc1c60967.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exejavaw.exe

pid process

2940 c52d6bfcb18b48ce0976886fc1c60967.exe
2288 javaw.exe
2288 javaw.exe

pid	process
2940	c52d6bfcb18b48ce0976886fc1c60967.exe
2288	javaw.exe
2288	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c52d6bfcb18b48ce0976886fc1c60967.exeBIT.EXE

description	pid	process	target process
PID 2940 wrote to memory of 2824	2940	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 2940 wrote to memory of 2824	2940	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 2940 wrote to memory of 2824	2940	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 2940 wrote to memory of 2824	2940	c52d6bfcb18b48ce0976886fc1c60967.exe	BIT.EXE
PID 2824 wrote to memory of 2288	2824	BIT.EXE	javaw.exe
PID 2824 wrote to memory of 2288	2824	BIT.EXE	javaw.exe
PID 2824 wrote to memory of 2288	2824	BIT.EXE	javaw.exe
PID 2824 wrote to memory of 2288	2824	BIT.EXE	javaw.exe

C:\Users\Admin\AppData\Local\Temp\c52d6bfcb18b48ce0976886fc1c60967.exe
"C:\Users\Admin\AppData\Local\Temp\c52d6bfcb18b48ce0976886fc1c60967.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\BIT.EXE
"C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -Xms512m -Xmx1024m -jar "C:\Users\Admin\AppData\Local\Temp\BIT.EXE"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BIT.EXE
Filesize
272KB

MD5
f3af9e6be544b4a28b2abff08292cde6

SHA1
ce72c12d42135bf9951570f54f8c97d2cd9ea297

SHA256
96ff47ed3a6ee136f5ba1e14ae20f1cc95c20747db444e4b6ed66ef3fe7d7679

SHA512
d84aea057738519472cec5128e1efb32cf18f49ba18942ac46ceecf62ce86a803f95151bc3f9e9860484a27beeaf08c076a6838c2279af40cd1307a93c7be85b

Download Submit
memory/2288-28-0x0000000001DD0000-0x0000000001DDA000-memory.dmp

Filesize
40KB

Download
memory/2288-78-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-19-0x0000000002230000-0x0000000005230000-memory.dmp

Filesize
48.0MB

Download
memory/2288-87-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-23-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-27-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-53-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-54-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-29-0x0000000001DD0000-0x0000000001DDA000-memory.dmp

Filesize
40KB

Download
memory/2288-68-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-36-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-40-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-48-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2288-58-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2824-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-49-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-59-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2940-61-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-63-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-65-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-69-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-34-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-70-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-76-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-33-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-81-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-84-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2940-24-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2940-91-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download

Analysis

Sharing