darkcomet | f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904

General

Target

f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe
Size

758KB
MD5

998fb47d01fba99cd7d3c895cd980fdf
SHA1

3db1e5543b1d18a88a3b59fc226bb8c12a110b35
SHA256

f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904
SHA512

81135e73c9ccb0ec54197dda0f45a248fc7a2bc94b6adc5471e17f5ac1388a5928908b62b56a93fa11ed6ce9cd5d8bf5363f2078d2657eb0f7f616bc415eab89
SSDEEP

12288:OWRJAqE2AdhVhfTUOsSu45Tl1FjUlIeCs7CMbI1JPMTJ+Fb0HtIxYT7h:xR+q7Ar/fKS1p1FjUlIeCs7CMwCJGMvl

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

error404.no-ip.info:1604

something.no-ip.info:1604

error404.no-ip.info:3737

something404.no-ip.info:3737

Mutex

DC_MUTEX-55YMXAT

Attributes

gencode
WwVUfkcCarWy
install
false
offline_keylogger
true
password
bd0rk123
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe
Token: SeIncreaseQuotaPrivilege	832	AppLaunch.exe
Token: SeSecurityPrivilege	832	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	832	AppLaunch.exe
Token: SeLoadDriverPrivilege	832	AppLaunch.exe
Token: SeSystemProfilePrivilege	832	AppLaunch.exe
Token: SeSystemtimePrivilege	832	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	832	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	832	AppLaunch.exe
Token: SeCreatePagefilePrivilege	832	AppLaunch.exe
Token: SeBackupPrivilege	832	AppLaunch.exe
Token: SeRestorePrivilege	832	AppLaunch.exe
Token: SeShutdownPrivilege	832	AppLaunch.exe
Token: SeDebugPrivilege	832	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	832	AppLaunch.exe
Token: SeChangeNotifyPrivilege	832	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	832	AppLaunch.exe
Token: SeUndockPrivilege	832	AppLaunch.exe
Token: SeManageVolumePrivilege	832	AppLaunch.exe
Token: SeImpersonatePrivilege	832	AppLaunch.exe
Token: SeCreateGlobalPrivilege	832	AppLaunch.exe
Token: 33	832	AppLaunch.exe
Token: 34	832	AppLaunch.exe
Token: 35	832	AppLaunch.exe
Token: 36	832	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
832	AppLaunch.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82
PID 2624 wrote to memory of 832	2624	f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe	82

C:\Users\Admin\AppData\Local\Temp\f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe
"C:\Users\Admin\AppData\Local\Temp\f1e4929865f60231ee7192d027ff818fa5c1df2338834580f6a61b63092f6904.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/832-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/832-6-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/832-8-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/832-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/832-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/832-11-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2624-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2624-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2624-7-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing