darkcomet | 10f2e75aeb164c1771cf3392cecdb50f0e5d22331654075a88bc691eb0602ce5

General

Target

6d4166ae6ee8d6ec5af09d73d256bd83.exe
Size

278KB
MD5

6d4166ae6ee8d6ec5af09d73d256bd83
SHA1

8392c338cbaa7fe0787eef96bbca84c483e50d33
SHA256

10f2e75aeb164c1771cf3392cecdb50f0e5d22331654075a88bc691eb0602ce5
SHA512

a789f6a2fc9227f483e11adae0c69e3d2216911524dfc02a7a74e9a236edb25bbb468c3d9280f828333fab11f3f295c1498597ead61da225455b62590e89f8d4
SSDEEP

6144:r5C4JCWTWFjtT2VUnw/6knPrCVsoSortxBFzNKNzKz/:r5UWTWEURGjCaoSortVgQz

Score

10^/10

darkcomet sazan rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

2.tcp.ngrok.io:11956

Mutex

DC_MUTEX-9YWB9EB

Attributes

gencode
svYKFqnCzhWk
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

Deneme Server 2.exeDeneme Server.exe

pid process

1344 Deneme Server 2.exe
2748 Deneme Server.exe
Loads dropped DLL 1 IoCs

Processes:

6d4166ae6ee8d6ec5af09d73d256bd83.exe

pid process

2168 6d4166ae6ee8d6ec5af09d73d256bd83.exe

pid	process
1344	Deneme Server 2.exe
2748	Deneme Server.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Deneme Server.exe	upx
behavioral1/memory/2748-24-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2748-28-0x0000000000400000-0x00000000004E8000-memory.dmp	upx
behavioral1/memory/2748-40-0x0000000000400000-0x00000000004E8000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exe

pid	process
2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe
2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe
1344	Deneme Server 2.exe
1344	Deneme Server 2.exe
1344	Deneme Server 2.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exeDeneme Server.exe

description	pid	process
Token: SeDebugPrivilege	2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe
Token: SeDebugPrivilege	1344	Deneme Server 2.exe
Token: SeIncreaseQuotaPrivilege	2748	Deneme Server.exe
Token: SeSecurityPrivilege	2748	Deneme Server.exe
Token: SeTakeOwnershipPrivilege	2748	Deneme Server.exe
Token: SeLoadDriverPrivilege	2748	Deneme Server.exe
Token: SeSystemProfilePrivilege	2748	Deneme Server.exe
Token: SeSystemtimePrivilege	2748	Deneme Server.exe
Token: SeProfSingleProcessPrivilege	2748	Deneme Server.exe
Token: SeIncBasePriorityPrivilege	2748	Deneme Server.exe
Token: SeCreatePagefilePrivilege	2748	Deneme Server.exe
Token: SeBackupPrivilege	2748	Deneme Server.exe
Token: SeRestorePrivilege	2748	Deneme Server.exe
Token: SeShutdownPrivilege	2748	Deneme Server.exe
Token: SeDebugPrivilege	2748	Deneme Server.exe
Token: SeSystemEnvironmentPrivilege	2748	Deneme Server.exe
Token: SeChangeNotifyPrivilege	2748	Deneme Server.exe
Token: SeRemoteShutdownPrivilege	2748	Deneme Server.exe
Token: SeUndockPrivilege	2748	Deneme Server.exe
Token: SeManageVolumePrivilege	2748	Deneme Server.exe
Token: SeImpersonatePrivilege	2748	Deneme Server.exe
Token: SeCreateGlobalPrivilege	2748	Deneme Server.exe
Token: 33	2748	Deneme Server.exe
Token: 34	2748	Deneme Server.exe
Token: 35	2748	Deneme Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Deneme Server.exe

pid process

2748 Deneme Server.exe

pid	process
2748	Deneme Server.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6d4166ae6ee8d6ec5af09d73d256bd83.exeDeneme Server 2.exe

description	pid	process	target process
PID 2168 wrote to memory of 1344	2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe	Deneme Server 2.exe
PID 2168 wrote to memory of 1344	2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe	Deneme Server 2.exe
PID 2168 wrote to memory of 1344	2168	6d4166ae6ee8d6ec5af09d73d256bd83.exe	Deneme Server 2.exe
PID 1344 wrote to memory of 2748	1344	Deneme Server 2.exe	Deneme Server.exe
PID 1344 wrote to memory of 2748	1344	Deneme Server 2.exe	Deneme Server.exe
PID 1344 wrote to memory of 2748	1344	Deneme Server 2.exe	Deneme Server.exe
PID 1344 wrote to memory of 2748	1344	Deneme Server 2.exe	Deneme Server.exe

C:\Users\Admin\AppData\Local\Temp\6d4166ae6ee8d6ec5af09d73d256bd83.exe
"C:\Users\Admin\AppData\Local\Temp\6d4166ae6ee8d6ec5af09d73d256bd83.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\Desktop\Deneme Server 2.exe
"C:\Users\Admin\Desktop\Deneme Server 2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\Desktop\Deneme Server.exe
"C:\Users\Admin\Desktop\Deneme Server.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Deneme Server.exe
Filesize
349KB

MD5
c7f0a3e8111658ee68aaff70cbb8c762

SHA1
1b8d8a570f6e4ddca60e8701e17c3cb8f29fbfae

SHA256
da5a459d79af026e43ed00845a93b407b2da2ed2da9731df63fefea8d1a0fb93

SHA512
7354ad99e45bda9f7ea5c44787dea0c0c83728ec3e46c2be5840c07952ec390325cc41b28f360876238643613e40ff9d84100763d3379d51de9c60d56c95aa95

Download Submit
\Users\Admin\Desktop\Deneme Server 2.exe
Filesize
272KB

MD5
5e7599beee5b23858e1339c802a2b42e

SHA1
6f1f1f6d8c15582ae44d9312c07bcf771e63983b

SHA256
63cbb50418ff9617182869680dd65862f27eba39adf6b4405ff8449f5973c37d

SHA512
8c52a4ae02dc889aa178fcd89c0af2b61ef9bb389330b4338c2759424298480835540d523caf5a573cd50f60896d2f771861128320fad434677efaf5a2213332

Download Submit
memory/1344-17-0x000000001B990000-0x000000001BA10000-memory.dmp

Filesize
512KB

Download
memory/1344-25-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-16-0x000000001B990000-0x000000001BA10000-memory.dmp

Filesize
512KB

Download
memory/1344-11-0x000000013F2D0000-0x000000013F318000-memory.dmp

Filesize
288KB

Download
memory/1344-15-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-12-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-0-0x000000013FD80000-0x000000013FDCA000-memory.dmp

Filesize
296KB

Download
memory/2168-2-0x000000001B9D0000-0x000000001BA50000-memory.dmp

Filesize
512KB

Download
memory/2168-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-3-0x000000001B9D0000-0x000000001BA50000-memory.dmp

Filesize
512KB

Download
memory/2748-24-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2748-26-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2748-28-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2748-40-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads