darkcomet | aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1

General

Target

aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
Size

1.1MB
MD5

49fc97af2d9c6cae7e412ae548e7edd8
SHA1

f6c969bcab3ae6ab2116708ab002828e7482c5f7
SHA256

aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1
SHA512

a7f151c9adae93329d14ccff453b13de250f5978cc28e8a1f78ad74469a0d12951c837604d11f24ff9268d1548fc63ae3e69b6eadf2ac9870ad6bad0ea2ee49a
SSDEEP

24576:RBkVdlYACfZQ+aS2HnJV54K0q6tHXsk+vZmE:/svCfj/wV5GtHBcx

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

5.tcp.eu.ngrok.io:13559

Mutex

DC_MUTEX-RYGWV09

Attributes

gencode
iM649R849fl9
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

егорыч.exe

pid process

2584 егорыч.exe

pid	process
2584	егорыч.exe

Loads dropped DLL 5 IoCs

Processes:

aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe

pid	process
2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 5.tcp.eu.ngrok.io
19 5.tcp.eu.ngrok.io
69 5.tcp.eu.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	5.tcp.eu.ngrok.io
19	5.tcp.eu.ngrok.io
69	5.tcp.eu.ngrok.io

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

егорыч.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2584	егорыч.exe
Token: SeSecurityPrivilege	2584	егорыч.exe
Token: SeTakeOwnershipPrivilege	2584	егорыч.exe
Token: SeLoadDriverPrivilege	2584	егорыч.exe
Token: SeSystemProfilePrivilege	2584	егорыч.exe
Token: SeSystemtimePrivilege	2584	егорыч.exe
Token: SeProfSingleProcessPrivilege	2584	егорыч.exe
Token: SeIncBasePriorityPrivilege	2584	егорыч.exe
Token: SeCreatePagefilePrivilege	2584	егорыч.exe
Token: SeBackupPrivilege	2584	егорыч.exe
Token: SeRestorePrivilege	2584	егорыч.exe
Token: SeShutdownPrivilege	2584	егорыч.exe
Token: SeDebugPrivilege	2584	егорыч.exe
Token: SeSystemEnvironmentPrivilege	2584	егорыч.exe
Token: SeChangeNotifyPrivilege	2584	егорыч.exe
Token: SeRemoteShutdownPrivilege	2584	егорыч.exe
Token: SeUndockPrivilege	2584	егорыч.exe
Token: SeManageVolumePrivilege	2584	егорыч.exe
Token: SeImpersonatePrivilege	2584	егорыч.exe
Token: SeCreateGlobalPrivilege	2584	егорыч.exe
Token: 33	2584	егорыч.exe
Token: 34	2584	егорыч.exe
Token: 35	2584	егорыч.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2208 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

егорыч.exe

pid process

2584 егорыч.exe

pid	process
2208	DllHost.exe

pid	process
2584	егорыч.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe

description	pid	process	target process
PID 2944 wrote to memory of 2584	2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe	егорыч.exe
PID 2944 wrote to memory of 2584	2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe	егорыч.exe
PID 2944 wrote to memory of 2584	2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe	егорыч.exe
PID 2944 wrote to memory of 2584	2944	aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe	егорыч.exe

C:\Users\Admin\AppData\Local\Temp\aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe
"C:\Users\Admin\AppData\Local\Temp\aefcc4fbfe2edc7cc7992085ee0ef500cd6def9b66e5f668d4dfc03ae06f49c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\RarSFX0\егорыч.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\егорыч.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Screenshot_5.png
Filesize
250KB

MD5
a905f9c62a5ea77a587f268e2cfdd776

SHA1
c1d4f8126182882e472486d1d1dbe93762bb0897

SHA256
6e9b20dee99fa75cfffd0ebae9a888adf611eca15dc8fe160e0ea0f8a2fc520e

SHA512
272592e34b9f6c7163717dc0520577ced3abfcf3b6d0ed54e84821d364a9119f413ee24c079eae991db1fddf4e168be78fceb22bfad2c89d3a1de654dcbeb66f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\егорыч.exe
Filesize
658KB

MD5
c4f0b78a6fae84edab5e00f55a5e74e9

SHA1
0b9608a0db03faa4b219c0ccb3f89c094d5a736d

SHA256
b2401024feb120662c7b58d8fab4e5879cfa11f3c2ca55528a101ab1a52afcf8

SHA512
7bce618f0fd6b03f1b1072f5171ba1fd94d7b373836a5c7faa8eb6b0ba735c91a7c209c59d3e581a01a245bda1645575f3a19e9c7fe0491602a807138084b2c2

Download Submit
memory/2208-5-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/2208-6-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2208-27-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2584-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-23-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2584-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2944-4-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads