darkcomet | b5c0c2189f141d5d4328eb7800839bb702d25a028c879b0b54b6290f812621f7

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Size

756KB
MD5

d4256a7d69733c47e3d4e0a3f4da2fa7
SHA1

d9d022c96a99fbad44451db9d60d24c4a4a22897
SHA256

b5c0c2189f141d5d4328eb7800839bb702d25a028c879b0b54b6290f812621f7
SHA512

7432143f6e1c8bf9cf37e4ed2b94b419bb5d4357827d292a58a9ad4d176072d9dcba892c79f0bec0be8bc1f71a621274e26f8d8013a6b92f59bf836e1ec8a3f9
SSDEEP

12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/ht:qZ1xuVVjfFoynPaVBUR8f+kN10EBL

Score

10^/10

darkcomet main rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

MAIN

billa2012.no-ip.org:50468

billa2012.no-ip.org:80

Mutex

DC_MUTEX-KH2VSZR

Attributes

gencode
sSjilN5Kx17Z
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

d4256a7d69733c47e3d4e0a3f4da2fa7.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeSecurityPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeTakeOwnershipPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeLoadDriverPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeSystemProfilePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeSystemtimePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeProfSingleProcessPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeIncBasePriorityPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeCreatePagefilePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeBackupPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeRestorePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeShutdownPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeDebugPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeSystemEnvironmentPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeChangeNotifyPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeRemoteShutdownPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeUndockPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeManageVolumePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeImpersonatePrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: SeCreateGlobalPrivilege	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: 33	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: 34	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe
Token: 35	2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d4256a7d69733c47e3d4e0a3f4da2fa7.exe

pid process

2156 d4256a7d69733c47e3d4e0a3f4da2fa7.exe

pid	process
2156	d4256a7d69733c47e3d4e0a3f4da2fa7.exe

C:\Users\Admin\AppData\Local\Temp\d4256a7d69733c47e3d4e0a3f4da2fa7.exe
"C:\Users\Admin\AppData\Local\Temp\d4256a7d69733c47e3d4e0a3f4da2fa7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-2-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-3-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-4-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-5-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-6-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-7-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-8-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-9-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-10-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-11-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-12-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-13-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2156-14-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download