darkcomet | 9bee27b268c35b46a2cd109a4f743af3a664e0a84443d2cd08b1f9a089db559f

General

Target

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
Size

852KB
MD5

142b6a00a17c3f7853f4cfeebfe72c13
SHA1

799ea8e4a8295d0018e81fa910fe3e3e734237da
SHA256

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6
SHA512

761fb7c01fc53a2e260876d3e51e48b740ed86562e3505a4195fc2e89cd86762f76b725a7c267c439986515a7ca3b194f3367da3fdefafb47dd852b264f2d521
SSDEEP

12288:MMM0D0t0S0O0Sv8Di0BRtIwrfLDEDEOjX7kmW:NxgSfrvDi0BDIwrERnk7

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Drops startup file 3 IoCs

Processes:

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe

Executes dropped EXE 2 IoCs

Processes:

.exe.exe

pid	Process
1908	.exe
2620	.exe

Loads dropped DLL 3 IoCs

Processes:

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe.exe

pid	Process
2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
1908	.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2620-19-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-17-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-25-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-26-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-23-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-27-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-29-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-28-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-30-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-32-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-33-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-34-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-35-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-37-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-41-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-44-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-48-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-51-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-55-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-59-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2620-62-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description	pid	Process	procid_target
PID 1908 set thread context of 2620	1908	.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2620	.exe
Token: SeSecurityPrivilege	2620	.exe
Token: SeTakeOwnershipPrivilege	2620	.exe
Token: SeLoadDriverPrivilege	2620	.exe
Token: SeSystemProfilePrivilege	2620	.exe
Token: SeSystemtimePrivilege	2620	.exe
Token: SeProfSingleProcessPrivilege	2620	.exe
Token: SeIncBasePriorityPrivilege	2620	.exe
Token: SeCreatePagefilePrivilege	2620	.exe
Token: SeBackupPrivilege	2620	.exe
Token: SeRestorePrivilege	2620	.exe
Token: SeShutdownPrivilege	2620	.exe
Token: SeDebugPrivilege	2620	.exe
Token: SeSystemEnvironmentPrivilege	2620	.exe
Token: SeChangeNotifyPrivilege	2620	.exe
Token: SeRemoteShutdownPrivilege	2620	.exe
Token: SeUndockPrivilege	2620	.exe
Token: SeManageVolumePrivilege	2620	.exe
Token: SeImpersonatePrivilege	2620	.exe
Token: SeCreateGlobalPrivilege	2620	.exe
Token: 33	2620	.exe
Token: 34	2620	.exe
Token: 35	2620	.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe.exe.exe

pid	Process
2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
1908	.exe
2620	.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe.exe

description	pid	Process	procid_target
PID 2248 wrote to memory of 1908	2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe	28
PID 2248 wrote to memory of 1908	2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe	28
PID 2248 wrote to memory of 1908	2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe	28
PID 2248 wrote to memory of 1908	2248	acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe	28
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29
PID 1908 wrote to memory of 2620	1908	.exe	29

C:\Users\Admin\AppData\Local\Temp\acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe
"C:\Users\Admin\AppData\Local\Temp\acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Filesize
852KB

MD5
142b6a00a17c3f7853f4cfeebfe72c13

SHA1
799ea8e4a8295d0018e81fa910fe3e3e734237da

SHA256
acf05449c06970a54cc36fc7412f025f2c80c577d7ce3073b18fba70b39fb7f6

SHA512
761fb7c01fc53a2e260876d3e51e48b740ed86562e3505a4195fc2e89cd86762f76b725a7c267c439986515a7ca3b194f3367da3fdefafb47dd852b264f2d521

Download Submit
memory/2620-15-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-17-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-25-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-26-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-23-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-27-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-29-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-28-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-30-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-31-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2620-32-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-33-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-34-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-35-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-37-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-41-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-48-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-51-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-59-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2620-62-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads