darkcomet | bfe9a76229e6e502b7c542007cd976dd3b5e0d26190cdf7cc8a5e5aab0a63f7d

Resubmissions

21-06-2024 08:55

240621-kvt6astdkh 10

Analysis

max time kernel
155s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Darkcomet RAT 5.3.1.zip
Size

14.6MB
MD5

9f9347ecf2cc6541fb64acd6fc0a5749
SHA1

6c0d454ec2068d1c7d502a167ca02c8dafd0b244
SHA256

bfe9a76229e6e502b7c542007cd976dd3b5e0d26190cdf7cc8a5e5aab0a63f7d
SHA512

f0367a7c7265d38e52936bac40e0a18236d6544827da7dcdd1f2b19d2d3193b0039f5860a61a30f4e28bca3d2ef06a9c51f1b2c7f05927fad6ba37741ff015f3
SSDEEP

393216:Yia1rsEqp8mxBktqBEH3JM/qbxhbRLEJt5RXtW3hg:Yl1rsEqJxChH3coxhbePK3hg

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

upnp.exe

pid process

3276 upnp.exe

pid	process
3276	upnp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\upnp.exe	upx
behavioral1/memory/3276-47-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/3276-52-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DarkComet.exe

pid process

4824 DarkComet.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

DarkComet.exe

pid process

4824 DarkComet.exe
4824 DarkComet.exe
4824 DarkComet.exe
4824 DarkComet.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

DarkComet.exe

pid process

4824 DarkComet.exe
4824 DarkComet.exe
4824 DarkComet.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DarkComet.exe

pid process

4824 DarkComet.exe

pid	process
4824	DarkComet.exe

pid	process
4824	DarkComet.exe
4824	DarkComet.exe
4824	DarkComet.exe
4824	DarkComet.exe

pid	process
4824	DarkComet.exe
4824	DarkComet.exe
4824	DarkComet.exe

pid	process
4824	DarkComet.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

DarkComet.exe

description	pid	process	target process
PID 4824 wrote to memory of 3276	4824	DarkComet.exe	upnp.exe
PID 4824 wrote to memory of 3276	4824	DarkComet.exe	upnp.exe
PID 4824 wrote to memory of 3276	4824	DarkComet.exe	upnp.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Darkcomet RAT 5.3.1.zip"
1⤵
PID:2176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1572

C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe
"C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\upnp.exe
"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.0.232 1604 1604 TCP
2⤵
- Executes dropped EXE
PID:3276

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\upnp.exe
Filesize
12KB

MD5
13804f8dc4e72ba103d5e34de895c9db

SHA1
03d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5

SHA256
da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6

SHA512
9abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652

Download Submit
C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\config.ini
Filesize
522B

MD5
0a5baccb60ddf613c9ef2b18e0b1863f

SHA1
39bb75213fab1a7b9ab51089ef54f43086d8b1f3

SHA256
21a222e00ea35f663dc6c397c0a0aa6d80e52187644b170cee9e186892a22f4e

SHA512
b24b4e15fc975f81e5e5216cc098f8a34faeb5f7b3f10fe8f9f4a19157abe62f293b4687440434744e5c5284736a9a472fc5d04f5fda72e94fe5e7140b36de9b

Download Submit
memory/3276-52-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3276-47-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4824-51-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4824-55-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-50-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4824-49-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-0-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/4824-1-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4824-53-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-39-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-57-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-58-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-59-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-60-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-61-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/4824-62-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download