darkcomet | 56ed81c9241e4d5f5aeff9f755dcd7fea618b64f24463f61836609a6f26eb04c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c64c953eb21641cb9688d357578e08e3.exe
Size

660KB
MD5

c64c953eb21641cb9688d357578e08e3
SHA1

3fbb9e6a87dd1c939a34cd70275ded8ca0d38111
SHA256

56ed81c9241e4d5f5aeff9f755dcd7fea618b64f24463f61836609a6f26eb04c
SHA512

492b1f3fd9ea4e542f9ae73da2b5280ac286895d24b7cb872a30a40bc1f5eff61946a36aff45e2666b49571bd9a41ce6e17797659fc38cbb1ab2aa2d0fe70d30
SSDEEP

12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UQ:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jg

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-F54S21D

Attributes

gencode
U3duTmZ5pURh
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Drops file in Drivers directory 1 IoCs

Processes:

c64c953eb21641cb9688d357578e08e3.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts c64c953eb21641cb9688d357578e08e3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c64c953eb21641cb9688d357578e08e3.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

c64c953eb21641cb9688d357578e08e3.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeSecurityPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeTakeOwnershipPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeLoadDriverPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeSystemProfilePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeSystemtimePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeProfSingleProcessPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeIncBasePriorityPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeCreatePagefilePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeBackupPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeRestorePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeShutdownPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeDebugPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeSystemEnvironmentPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeChangeNotifyPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeRemoteShutdownPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeUndockPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeManageVolumePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeImpersonatePrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: SeCreateGlobalPrivilege	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: 33	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: 34	1600	c64c953eb21641cb9688d357578e08e3.exe
Token: 35	1600	c64c953eb21641cb9688d357578e08e3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c64c953eb21641cb9688d357578e08e3.exe

pid process

1600 c64c953eb21641cb9688d357578e08e3.exe

pid	process
1600	c64c953eb21641cb9688d357578e08e3.exe

C:\Users\Admin\AppData\Local\Temp\c64c953eb21641cb9688d357578e08e3.exe
"C:\Users\Admin\AppData\Local\Temp\c64c953eb21641cb9688d357578e08e3.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1600-2-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1600-3-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1600-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1600-12-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1600-14-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download