darkcomet | 63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d

General

Target

5e7599beee5b23858e1339c802a2b42e.exe
Size

272KB
MD5

5e7599beee5b23858e1339c802a2b42e
SHA1

6f1f1f6d8c15582ae44d9312c07bcf771e63983b
SHA256

63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d
SHA512

8c52a4ae02dc889aa178fcd89c0af2b61ef9bb389330b4338c2759424298480835540d523caf5a573cd50f60896d2f771861128320fad434677efaf5a2213332
SSDEEP

6144:stN2PXzg+qNDf24M4IlzR7eSSpYBRKL0LNxVIBqW/p:st40THI5RaRp9QZxOBq

Score

10^/10

darkcomet sazan rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

2.tcp.ngrok.io:11956

Mutex

DC_MUTEX-9YWB9EB

Attributes

gencode
svYKFqnCzhWk
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	5e7599beee5b23858e1339c802a2b42e.exe

Executes dropped EXE 1 IoCs

Processes:

Deneme Server.exe

pid process

4576 Deneme Server.exe

pid	process
4576	Deneme Server.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Deneme Server.exe	upx
behavioral2/memory/4576-66-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-69-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-71-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-72-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-73-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-74-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-76-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-78-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-79-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-80-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-81-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-82-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral2/memory/4576-120-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5e7599beee5b23858e1339c802a2b42e.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

pid process

1448 5e7599beee5b23858e1339c802a2b42e.exe
1448 5e7599beee5b23858e1339c802a2b42e.exe
1448 5e7599beee5b23858e1339c802a2b42e.exe

pid	process
1448	5e7599beee5b23858e1339c802a2b42e.exe
1448	5e7599beee5b23858e1339c802a2b42e.exe
1448	5e7599beee5b23858e1339c802a2b42e.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exeDeneme Server.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1448	5e7599beee5b23858e1339c802a2b42e.exe
Token: SeIncreaseQuotaPrivilege	4576	Deneme Server.exe
Token: SeSecurityPrivilege	4576	Deneme Server.exe
Token: SeTakeOwnershipPrivilege	4576	Deneme Server.exe
Token: SeLoadDriverPrivilege	4576	Deneme Server.exe
Token: SeSystemProfilePrivilege	4576	Deneme Server.exe
Token: SeSystemtimePrivilege	4576	Deneme Server.exe
Token: SeProfSingleProcessPrivilege	4576	Deneme Server.exe
Token: SeIncBasePriorityPrivilege	4576	Deneme Server.exe
Token: SeCreatePagefilePrivilege	4576	Deneme Server.exe
Token: SeBackupPrivilege	4576	Deneme Server.exe
Token: SeRestorePrivilege	4576	Deneme Server.exe
Token: SeShutdownPrivilege	4576	Deneme Server.exe
Token: SeDebugPrivilege	4576	Deneme Server.exe
Token: SeSystemEnvironmentPrivilege	4576	Deneme Server.exe
Token: SeChangeNotifyPrivilege	4576	Deneme Server.exe
Token: SeRemoteShutdownPrivilege	4576	Deneme Server.exe
Token: SeUndockPrivilege	4576	Deneme Server.exe
Token: SeManageVolumePrivilege	4576	Deneme Server.exe
Token: SeImpersonatePrivilege	4576	Deneme Server.exe
Token: SeCreateGlobalPrivilege	4576	Deneme Server.exe
Token: 33	4576	Deneme Server.exe
Token: 34	4576	Deneme Server.exe
Token: 35	4576	Deneme Server.exe
Token: 36	4576	Deneme Server.exe
Token: SeManageVolumePrivilege	928	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Deneme Server.exe

pid process

4576 Deneme Server.exe

pid	process
4576	Deneme Server.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5e7599beee5b23858e1339c802a2b42e.exe

description	pid	process	target process
PID 1448 wrote to memory of 4576	1448	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe
PID 1448 wrote to memory of 4576	1448	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe
PID 1448 wrote to memory of 4576	1448	5e7599beee5b23858e1339c802a2b42e.exe	Deneme Server.exe

C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe
"C:\Users\Admin\AppData\Local\Temp\5e7599beee5b23858e1339c802a2b42e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\Desktop\Deneme Server.exe
"C:\Users\Admin\Desktop\Deneme Server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Deneme Server.exe
Filesize
349KB

MD5
c7f0a3e8111658ee68aaff70cbb8c762

SHA1
1b8d8a570f6e4ddca60e8701e17c3cb8f29fbfae

SHA256
da5a459d79af026e43ed00845a93b407b2da2ed2da9731df63fefea8d1a0fb93

SHA512
7354ad99e45bda9f7ea5c44787dea0c0c83728ec3e46c2be5840c07952ec390325cc41b28f360876238643613e40ff9d84100763d3379d51de9c60d56c95aa95

Download Submit
memory/928-117-0x000001F933650000-0x000001F933651000-memory.dmp

Filesize
4KB

Download
memory/928-119-0x000001F933760000-0x000001F933761000-memory.dmp

Filesize
4KB

Download
memory/928-118-0x000001F933650000-0x000001F933651000-memory.dmp

Filesize
4KB

Download
memory/928-99-0x000001F92B340000-0x000001F92B350000-memory.dmp

Filesize
64KB

Download
memory/928-115-0x000001F933620000-0x000001F933621000-memory.dmp

Filesize
4KB

Download
memory/1448-2-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/1448-3-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/1448-5-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/1448-4-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/1448-1-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1448-70-0x00007FF9DAB30000-0x00007FF9DB5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1448-0-0x0000000000D40000-0x0000000000D88000-memory.dmp

Filesize
288KB

Download
memory/4576-72-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-82-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-76-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-78-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-79-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-80-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-81-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-74-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-73-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-71-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-69-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-68-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/4576-66-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4576-120-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads