darkcomet | 999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f

General

Target

999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe
Size

1.4MB
MD5

d4cc386e6847b9d82016c79455bdecce
SHA1

2e947b28d124c6675f8a9f947a7d371bd8c73120
SHA256

999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f
SHA512

6c0cf6c28dfd63cf2d792398f55f71f7f908627a10d12cd5bc0a1032e31644e24c144752a9cddaae05ffa72550aaee3d88df4ce8a7baeb7551550dd5c0eed47f
SSDEEP

24576:lRmJkcoQricOIQxiZY1aazZrdR9kfrDs0Vh8cK0IpmXS3jej2pJ8Mj:qJZoQrbTFZY1aaVr/SDo0VacK0JCmxMj

Score

10^/10

darkcomet ali discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ali

C2

obj.jumpingcrab.com:1818

Mutex

DC_MUTEX-N4J3V80

Attributes

gencode
olA3zmEolGvJ
install
false
offline_keylogger
true
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.eu.url	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe

Executes dropped EXE 2 IoCs

pid	Process
3288	windows.exe
2196	windows.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000001e6ae-3.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3992	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe
3992	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2196	windows.exe
Token: SeSecurityPrivilege	2196	windows.exe
Token: SeTakeOwnershipPrivilege	2196	windows.exe
Token: SeLoadDriverPrivilege	2196	windows.exe
Token: SeSystemProfilePrivilege	2196	windows.exe
Token: SeSystemtimePrivilege	2196	windows.exe
Token: SeProfSingleProcessPrivilege	2196	windows.exe
Token: SeIncBasePriorityPrivilege	2196	windows.exe
Token: SeCreatePagefilePrivilege	2196	windows.exe
Token: SeBackupPrivilege	2196	windows.exe
Token: SeRestorePrivilege	2196	windows.exe
Token: SeShutdownPrivilege	2196	windows.exe
Token: SeDebugPrivilege	2196	windows.exe
Token: SeSystemEnvironmentPrivilege	2196	windows.exe
Token: SeChangeNotifyPrivilege	2196	windows.exe
Token: SeRemoteShutdownPrivilege	2196	windows.exe
Token: SeUndockPrivilege	2196	windows.exe
Token: SeManageVolumePrivilege	2196	windows.exe
Token: SeImpersonatePrivilege	2196	windows.exe
Token: SeCreateGlobalPrivilege	2196	windows.exe
Token: 33	2196	windows.exe
Token: 34	2196	windows.exe
Token: 35	2196	windows.exe
Token: 36	2196	windows.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 3288	3992	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe	92
PID 3992 wrote to memory of 3288	3992	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe	92
PID 3992 wrote to memory of 3288	3992	999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe	92
PID 3288 wrote to memory of 2196	3288	windows.exe	95
PID 3288 wrote to memory of 2196	3288	windows.exe	95
PID 3288 wrote to memory of 2196	3288	windows.exe	95
PID 3288 wrote to memory of 2196	3288	windows.exe	95
PID 3288 wrote to memory of 2196	3288	windows.exe	95

C:\Users\Admin\AppData\Local\Temp\999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe
"C:\Users\Admin\AppData\Local\Temp\999b467f6c9270ca8296f4064d5dcaa7180949a6f33db911c74d6c86fe1dbf5f.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992
- C:\ProgramData\Folder\windows.exe
  C:\ProgramData\Folder\windows.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\ProgramData\Folder\windows.exe
    C:\ProgramData\Folder\windows.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Folder\windows.exe

Filesize
1.4MB

MD5
12e0171cc263acd2eccae609351b3458

SHA1
671fe327fff83a02e8024f537dd92cd7af036240

SHA256
b6a602e059cc1157a429cd26aff08b56012591841c77425630c4af0bcc2b7e8e

SHA512
62fde0d36116abbac0419f7ea1f537679d8bd91711fb4764f96039c9f003e47827da55a30f7222c3c73d69831e8216060a0adb30571bc8fbee6296a4813f32bb

Download Submit
memory/2196-6-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-11-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-10-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-9-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2196-8-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-7-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-12-0x00000000000D0000-0x0000000000182000-memory.dmp

Filesize
712KB

Download
memory/2196-13-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing