darkcomet | 8a1970ca792a8e2bfc4ae792d52dd267d2347aa5e5072db254d12cb781248aaa

Analysis

max time kernel
146s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

games installer.exe
Size

658KB
MD5

12af453bbf1dfe573ac71879fb1b36c8
SHA1

2eb9f00d2dd7cf000edc2414be0f66611035c3fd
SHA256

8a1970ca792a8e2bfc4ae792d52dd267d2347aa5e5072db254d12cb781248aaa
SHA512

bd314eb59cbcead9b434d1f9670ff48f5a7652dc76c1c494fd6736ff673422d7525f9d6f57bc5269ad6d0bfbd2deaee2f447f14f477ba451026225b2079c3570
SSDEEP

12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hY:mZ1xuVVjfFoynPaVBUR8f+kN10EB6

Score

10^/10

darkcomet guest16_min rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

income-saying.gl.at.ply.gg:51714

Mutex

DCMIN_MUTEX-NWUL1LY

Attributes

gencode
ZKlfG4mdFQsH
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

games installer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2896	games installer.exe
Token: SeSecurityPrivilege	2896	games installer.exe
Token: SeTakeOwnershipPrivilege	2896	games installer.exe
Token: SeLoadDriverPrivilege	2896	games installer.exe
Token: SeSystemProfilePrivilege	2896	games installer.exe
Token: SeSystemtimePrivilege	2896	games installer.exe
Token: SeProfSingleProcessPrivilege	2896	games installer.exe
Token: SeIncBasePriorityPrivilege	2896	games installer.exe
Token: SeCreatePagefilePrivilege	2896	games installer.exe
Token: SeBackupPrivilege	2896	games installer.exe
Token: SeRestorePrivilege	2896	games installer.exe
Token: SeShutdownPrivilege	2896	games installer.exe
Token: SeDebugPrivilege	2896	games installer.exe
Token: SeSystemEnvironmentPrivilege	2896	games installer.exe
Token: SeChangeNotifyPrivilege	2896	games installer.exe
Token: SeRemoteShutdownPrivilege	2896	games installer.exe
Token: SeUndockPrivilege	2896	games installer.exe
Token: SeManageVolumePrivilege	2896	games installer.exe
Token: SeImpersonatePrivilege	2896	games installer.exe
Token: SeCreateGlobalPrivilege	2896	games installer.exe
Token: 33	2896	games installer.exe
Token: 34	2896	games installer.exe
Token: 35	2896	games installer.exe
Token: 36	2896	games installer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

games installer.exe

pid process

2896 games installer.exe

pid	process
2896	games installer.exe

C:\Users\Admin\AppData\Local\Temp\games installer.exe
"C:\Users\Admin\AppData\Local\Temp\games installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2896-0-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download