darkcomet | 63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d

General

Target

5e7599beee5b23858e1339c802a2b42e.exe
Size

272KB
MD5

5e7599beee5b23858e1339c802a2b42e
SHA1

6f1f1f6d8c15582ae44d9312c07bcf771e63983b
SHA256

63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d
SHA512

8c52a4ae02dc889aa178fcd89c0af2b61ef9bb389330b4338c2759424298480835540d523caf5a573cd50f60896d2f771861128320fad434677efaf5a2213332
SSDEEP

6144:stN2PXzg+qNDf24M4IlzR7eSSpYBRKL0LNxVIBqW/p:st40THI5RaRp9QZxOBq

Score

10^/10

darkcomet sazan rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

2.tcp.ngrok.io:11956

Mutex

DC_MUTEX-9YWB9EB

Attributes

gencode
svYKFqnCzhWk
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

Deneme Server.exe

pid process

2756 Deneme Server.exe

pid	process
2756	Deneme Server.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Deneme Server.exe	upx
behavioral1/memory/2756-12-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2756-16-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2756-26-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

pid process

2296 5e7599beee5b23858e1339c802a2b42e.exe
2296 5e7599beee5b23858e1339c802a2b42e.exe
2296 5e7599beee5b23858e1339c802a2b42e.exe

pid	process
2296	5e7599beee5b23858e1339c802a2b42e.exe
2296	5e7599beee5b23858e1339c802a2b42e.exe
2296	5e7599beee5b23858e1339c802a2b42e.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exeDeneme Server.exe

description	pid	process
Token: SeDebugPrivilege	2296	5e7599beee5b23858e1339c802a2b42e.exe
Token: SeIncreaseQuotaPrivilege	2756	Deneme Server.exe
Token: SeSecurityPrivilege	2756	Deneme Server.exe
Token: SeTakeOwnershipPrivilege	2756	Deneme Server.exe
Token: SeLoadDriverPrivilege	2756	Deneme Server.exe
Token: SeSystemProfilePrivilege	2756	Deneme Server.exe
Token: SeSystemtimePrivilege	2756	Deneme Server.exe
Token: SeProfSingleProcessPrivilege	2756	Deneme Server.exe
Token: SeIncBasePriorityPrivilege	2756	Deneme Server.exe
Token: SeCreatePagefilePrivilege	2756	Deneme Server.exe
Token: SeBackupPrivilege	2756	Deneme Server.exe
Token: SeRestorePrivilege	2756	Deneme Server.exe
Token: SeShutdownPrivilege	2756	Deneme Server.exe
Token: SeDebugPrivilege	2756	Deneme Server.exe
Token: SeSystemEnvironmentPrivilege	2756	Deneme Server.exe
Token: SeChangeNotifyPrivilege	2756	Deneme Server.exe
Token: SeRemoteShutdownPrivilege	2756	Deneme Server.exe
Token: SeUndockPrivilege	2756	Deneme Server.exe
Token: SeManageVolumePrivilege	2756	Deneme Server.exe
Token: SeImpersonatePrivilege	2756	Deneme Server.exe
Token: SeCreateGlobalPrivilege	2756	Deneme Server.exe
Token: 33	2756	Deneme Server.exe
Token: 34	2756	Deneme Server.exe
Token: 35	2756	Deneme Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Deneme Server.exe

pid process

2756 Deneme Server.exe

pid	process
2756	Deneme Server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

description	pid	process	target process
PID 2296 wrote to memory of 2756	2296	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe
PID 2296 wrote to memory of 2756	2296	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe
PID 2296 wrote to memory of 2756	2296	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe
PID 2296 wrote to memory of 2756	2296	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe

C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe
"C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\Desktop\Deneme Server.exe
"C:\Users\Admin\Desktop\Deneme Server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Deneme Server.exe
Filesize
349KB

MD5
c7f0a3e8111658ee68aaff70cbb8c762

SHA1
1b8d8a570f6e4ddca60e8701e17c3cb8f29fbfae

SHA256
da5a459d79af026e43ed00845a93b407b2da2ed2da9731df63fefea8d1a0fb93

SHA512
7354ad99e45bda9f7ea5c44787dea0c0c83728ec3e46c2be5840c07952ec390325cc41b28f360876238643613e40ff9d84100763d3379d51de9c60d56c95aa95

Download Submit
memory/2296-0-0x000000013F3C0000-0x000000013F408000-memory.dmp

Filesize
288KB

Download
memory/2296-1-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-2-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2296-3-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2296-13-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-12-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2756-14-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2756-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2756-26-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads