darkcomet | ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910

General

Target

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
Size

1.9MB
MD5

5b6b3ee51c768d0c335799d16e85f5b1
SHA1

604c648cffb3e2e9fb0d3712bf341bb577c8cb81
SHA256

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910
SHA512

df0de18365acdb919ed044f399e71670157227d6e2dc0fb0425741017650c769dbcd1fb87c2259067905379afca520708a28f9d9dabe528901d2c8d64f907f96

Score

10^/10

darkcomet sazan evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

denemekerem.duckdns.org:1604

Mutex

DC_MUTEX-X97JXCQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ismgUn3CHFuf
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Drops file in System32 directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\WerFault.exe attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WerFault.exe	attrib.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe

description	pid	process	target process
PID 4484 set thread context of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe

Drops file in Windows directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	attrib.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe

pid	process
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe

pid	process
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.execmd.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4484 wrote to memory of 5108	4484	ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe	WerFault.exe
PID 4416 wrote to memory of 2320	4416	cmd.exe	attrib.exe
PID 4416 wrote to memory of 2320	4416	cmd.exe	attrib.exe
PID 4416 wrote to memory of 2320	4416	cmd.exe	attrib.exe
PID 4532 wrote to memory of 2104	4532	cmd.exe	attrib.exe
PID 4532 wrote to memory of 2104	4532	cmd.exe	attrib.exe
PID 4532 wrote to memory of 2104	4532	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2320 attrib.exe
2104 attrib.exe

pid	process
2320	attrib.exe
2104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe
"C:\Users\Admin\AppData\Local\Temp\ed90f1c4dfa869c5f64960eaff5ea82dc33b5d18ccfb5325a55e832739374910.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
2⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\WerFault.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\WerFault.exe" +s +h
4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2104

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
PID:4324

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64" +s +h
1⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-134-0x0000000000000000-mapping.dmp

Download
memory/2320-133-0x0000000000000000-mapping.dmp

Download
memory/5108-131-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5108-130-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads