darkcomet | 3429eaced3c462492fce6a397317c8603ad92907212bc0bd2c1d4c1032d35610

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smss.exe
Size

722KB
MD5

6485277c4f8f80d86f40003ec2311c1c
SHA1

8426890a6246eefcb3ad01d9a1ad8877531a451c
SHA256

3429eaced3c462492fce6a397317c8603ad92907212bc0bd2c1d4c1032d35610
SHA512

fdcf3b8033ff3a9c7d8ba5729fc31f87cd8814c2d4c1c8c3c8a5ebd202e386c0aafa27632dacc4a4aaea58e2171879db677a97a05860b0c85844b0509d0ec1b4
SSDEEP

12288:wFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJu:g3nbWmJVJFwSddIXvfhqbiaxvRxq9U

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1 0.tcp.eu.ngrok.io
305 0.tcp.eu.ngrok.io
326 0.tcp.eu.ngrok.io
377 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.exe

description pid process target process

PID 2836 set thread context of 2096 2836 smss.exe iexplore.exe

flow	ioc
1	0.tcp.eu.ngrok.io
305	0.tcp.eu.ngrok.io
326	0.tcp.eu.ngrok.io
377	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 2836 set thread context of 2096	2836	smss.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

smss.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2836	smss.exe
Token: SeSecurityPrivilege	2836	smss.exe
Token: SeTakeOwnershipPrivilege	2836	smss.exe
Token: SeLoadDriverPrivilege	2836	smss.exe
Token: SeSystemProfilePrivilege	2836	smss.exe
Token: SeSystemtimePrivilege	2836	smss.exe
Token: SeProfSingleProcessPrivilege	2836	smss.exe
Token: SeIncBasePriorityPrivilege	2836	smss.exe
Token: SeCreatePagefilePrivilege	2836	smss.exe
Token: SeBackupPrivilege	2836	smss.exe
Token: SeRestorePrivilege	2836	smss.exe
Token: SeShutdownPrivilege	2836	smss.exe
Token: SeDebugPrivilege	2836	smss.exe
Token: SeSystemEnvironmentPrivilege	2836	smss.exe
Token: SeChangeNotifyPrivilege	2836	smss.exe
Token: SeRemoteShutdownPrivilege	2836	smss.exe
Token: SeUndockPrivilege	2836	smss.exe
Token: SeManageVolumePrivilege	2836	smss.exe
Token: SeImpersonatePrivilege	2836	smss.exe
Token: SeCreateGlobalPrivilege	2836	smss.exe
Token: 33	2836	smss.exe
Token: 34	2836	smss.exe
Token: 35	2836	smss.exe
Token: SeIncreaseQuotaPrivilege	2096	iexplore.exe
Token: SeSecurityPrivilege	2096	iexplore.exe
Token: SeTakeOwnershipPrivilege	2096	iexplore.exe
Token: SeLoadDriverPrivilege	2096	iexplore.exe
Token: SeSystemProfilePrivilege	2096	iexplore.exe
Token: SeSystemtimePrivilege	2096	iexplore.exe
Token: SeProfSingleProcessPrivilege	2096	iexplore.exe
Token: SeIncBasePriorityPrivilege	2096	iexplore.exe
Token: SeCreatePagefilePrivilege	2096	iexplore.exe
Token: SeBackupPrivilege	2096	iexplore.exe
Token: SeRestorePrivilege	2096	iexplore.exe
Token: SeShutdownPrivilege	2096	iexplore.exe
Token: SeDebugPrivilege	2096	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2096	iexplore.exe
Token: SeChangeNotifyPrivilege	2096	iexplore.exe
Token: SeRemoteShutdownPrivilege	2096	iexplore.exe
Token: SeUndockPrivilege	2096	iexplore.exe
Token: SeManageVolumePrivilege	2096	iexplore.exe
Token: SeImpersonatePrivilege	2096	iexplore.exe
Token: SeCreateGlobalPrivilege	2096	iexplore.exe
Token: 33	2096	iexplore.exe
Token: 34	2096	iexplore.exe
Token: 35	2096	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

2096 iexplore.exe

pid	process
2096	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

smss.exe

description	pid	process	target process
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe
PID 2836 wrote to memory of 2096	2836	smss.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-1-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2836-3-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2836-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download