Analysis
-
max time kernel
342s -
max time network
311s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
27-09-2024 16:49
General
-
Target
Dark Comet 5.3/Dark Comet/DarkComet.exe
-
Size
11.3MB
-
MD5
d761f3aa64064a706a521ba14d0f8741
-
SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb
-
SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
-
SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
SSDEEP
196608:TPvqxSrDTVokQwhM/kSEMTQINokXJw7lW740VeqQPR:LCxSrFokQw2NjUYuWU0t
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 58 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dark Comet 5.3\Dark Comet\DarkComet.exe"C:\Users\Admin\AppData\Local\Temp\Dark Comet 5.3\Dark Comet\DarkComet.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\upnp.exe"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.0.90 1604 1604 TCP2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://darkcomet-rat.com/lounge.dc2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e8aa3cb8,0x7ff9e8aa3cc8,0x7ff9e8aa3cd83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2088 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6835304212654834524,11906173634802066429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:13⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\not a rat.exe"C:\Users\Admin\Downloads\not a rat.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8276eab0f8f0c0bb325b5b8c329f64f
SHA18ce681e4056936ca8ccd6f487e7cd7cccbae538b
SHA256847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da
SHA51242f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918
-
Filesize
152B
MD5058032c530b52781582253cb245aa731
SHA17ca26280e1bfefe40e53e64345a0d795b5303fab
SHA2561c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e
SHA51277fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f
-
Filesize
6KB
MD5f0f63faa5b3f87bf95272005fa85c1c0
SHA19ba7575b74c8acf342deaa0fb68d4752ea54b858
SHA25639b92b10a85eb66af6d78252058dbcbcc6426c075406ce1f199e1791cdb54504
SHA512f7e57b536f1e56a21420048889153b4af4898993d5de18f11c533ea3f106e2c90385f40bea2d775aa4a9392ff38f863e8aedf8a70281c6cf01d101ea516a8baa
-
Filesize
5KB
MD550d219d1d7d5167fc6b785dbeeff2d44
SHA18656ab20337aadf7df4862de38985cecd40ceb40
SHA2564e0204b295da9158d6d617905244cbdc838890988a0396490da772c5b821a5a2
SHA512f15b06385fdeee264f806b5461d78dcd0e6583ce9fe5006a7ad438b13c4a60489356f715177910b83cefdab9d975fa2ef22f3776a2795f7dd56e65c477ce9b7f
-
Filesize
10KB
MD5155d8d2ccb3677d6396d4e272adc7b67
SHA1757fc4754e5ceff35e547334cbc5d01ec0f29ed7
SHA25665aa3bc8349dae9dcfa4dc9b55ef3087a6e075bedbf58eea9a63c355836ab995
SHA512146244b6b52ac0a6bfbba66d0b5166464ccac99ef77a693374aabae54c6f88f20685607e5efa25d8e4531b95f2baf66c6e92d6f5b24db4d183af01f47a1b4b92
-
Filesize
2KB
MD5227dbbf06cb72b05d459ff385e78c01b
SHA11a9bf16b07d44fcb5f1785d0840a6eaaca6f7f11
SHA256c9acbbd78073afcb8dd951b0024673cbaed8ac6bd7f1002289fa70ffabdfd382
SHA5125fe6c13585343ec37f0b0109f1036a8a0eec9bac274e8c0e977925707ef9253580adc13ef17fae7517a8f871aa7e5b9dc9529ba23d37ee4b0a6e94bad4ed3831
-
Filesize
12KB
MD513804f8dc4e72ba103d5e34de895c9db
SHA103d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5
SHA256da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6
SHA5129abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652
-
Filesize
3KB
MD5352120954900ea4d037adb8fe704491a
SHA1c63c7b83441768c9a2909125754491ec054139de
SHA256dde5e5682bd892a848c210fc25647d92f9416b2ae2e1af4f453cab758fbbe266
SHA512c31a63d0b301cde379d7a15f109ff9d47f0224038926fc30b163ffe16eb895fd6e58671a8177b2d9f99d8683b715b40fd45efa08b98eea06918c50e676d5cd83
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
4KB
-
Filesize
11.4MB
-
Filesize
20KB
-
Filesize
52KB
-
Filesize
52KB