darkcomet | 3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de

General

Target

XPloit.zip
Size

23.9MB
MD5

df5931935ffe284ca5b40791607e7a4c
SHA1

262399853d05ece01f740d1e820aa892b065b1bd
SHA256

3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de
SHA512

38ac5f801f73714c840e16c8513b3c4f2d29815f042585a61c06830a76c1cae0e7e295241be686ae2d5f4bd19503ee9e69dadd611b1389d6ea9018553df785f7
SSDEEP

393216:OH+kig1whmEJ+oUAgHRsP56jvR3vJ0RPaati4b8sVNSCoOYhkhalpMJpQl+25+:sB1w/J+oUANMj53vOxavKxoqhMgpw+

Score

10^/10

darkcomet sazan discovery pyinstaller rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-R2MY49E

Attributes

gencode
0JGDeNqTa1iX
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 7 IoCs

pid	Process
2816	XPloit.exe
3008	BUILT.EXE
3004	XPLOIT.EXE
2328	XPLOIT.EXE
1744	BUILT.EXE
2964	BUILT.EXE
1756	BUILT.EXE

Loads dropped DLL 10 IoCs

pid	Process
2816	XPloit.exe
2816	XPloit.exe
2816	XPloit.exe
2816	XPloit.exe
1744	BUILT.EXE
3008	BUILT.EXE
2964	BUILT.EXE
1756	BUILT.EXE
1216	Process not Found
1216	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001cb95-264.dat	upx
behavioral1/memory/2964-267-0x000007FEF6580000-0x000007FEF69EE000-memory.dmp	upx
behavioral1/memory/1756-268-0x000007FEF6110000-0x000007FEF657E000-memory.dmp	upx

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0005000000018686-18.dat	pyinstaller
behavioral1/files/0x0012000000011c2c-22.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XPloit.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeRestorePrivilege	2272	7zFM.exe
Token: 35	2272	7zFM.exe
Token: SeSecurityPrivilege	2272	7zFM.exe
Token: SeIncreaseQuotaPrivilege	2816	XPloit.exe
Token: SeSecurityPrivilege	2816	XPloit.exe
Token: SeTakeOwnershipPrivilege	2816	XPloit.exe
Token: SeLoadDriverPrivilege	2816	XPloit.exe
Token: SeSystemProfilePrivilege	2816	XPloit.exe
Token: SeSystemtimePrivilege	2816	XPloit.exe
Token: SeProfSingleProcessPrivilege	2816	XPloit.exe
Token: SeIncBasePriorityPrivilege	2816	XPloit.exe
Token: SeCreatePagefilePrivilege	2816	XPloit.exe
Token: SeBackupPrivilege	2816	XPloit.exe
Token: SeRestorePrivilege	2816	XPloit.exe
Token: SeShutdownPrivilege	2816	XPloit.exe
Token: SeDebugPrivilege	2816	XPloit.exe
Token: SeSystemEnvironmentPrivilege	2816	XPloit.exe
Token: SeChangeNotifyPrivilege	2816	XPloit.exe
Token: SeRemoteShutdownPrivilege	2816	XPloit.exe
Token: SeUndockPrivilege	2816	XPloit.exe
Token: SeManageVolumePrivilege	2816	XPloit.exe
Token: SeImpersonatePrivilege	2816	XPloit.exe
Token: SeCreateGlobalPrivilege	2816	XPloit.exe
Token: 33	2816	XPloit.exe
Token: 34	2816	XPloit.exe
Token: 35	2816	XPloit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2272	7zFM.exe
2272	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	XPloit.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3008	2816	XPloit.exe	32
PID 2816 wrote to memory of 3008	2816	XPloit.exe	32
PID 2816 wrote to memory of 3008	2816	XPloit.exe	32
PID 2816 wrote to memory of 3008	2816	XPloit.exe	32
PID 2816 wrote to memory of 3004	2816	XPloit.exe	33
PID 2816 wrote to memory of 3004	2816	XPloit.exe	33
PID 2816 wrote to memory of 3004	2816	XPloit.exe	33
PID 2816 wrote to memory of 3004	2816	XPloit.exe	33
PID 2816 wrote to memory of 1744	2816	XPloit.exe	34
PID 2816 wrote to memory of 1744	2816	XPloit.exe	34
PID 2816 wrote to memory of 1744	2816	XPloit.exe	34
PID 2816 wrote to memory of 1744	2816	XPloit.exe	34
PID 2816 wrote to memory of 2328	2816	XPloit.exe	35
PID 2816 wrote to memory of 2328	2816	XPloit.exe	35
PID 2816 wrote to memory of 2328	2816	XPloit.exe	35
PID 2816 wrote to memory of 2328	2816	XPloit.exe	35
PID 1744 wrote to memory of 2964	1744	BUILT.EXE	36
PID 1744 wrote to memory of 2964	1744	BUILT.EXE	36
PID 1744 wrote to memory of 2964	1744	BUILT.EXE	36
PID 3008 wrote to memory of 1756	3008	BUILT.EXE	37
PID 3008 wrote to memory of 1756	3008	BUILT.EXE	37
PID 3008 wrote to memory of 1756	3008	BUILT.EXE	37

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XPloit.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2272

C:\Users\Admin\Desktop\XPloit.exe
"C:\Users\Admin\Desktop\XPloit.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
    "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1756
- C:\Users\Admin\AppData\Local\Temp\XPLOIT.EXE
  "C:\Users\Admin\AppData\Local\Temp\XPLOIT.EXE"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\BUILT.EXE
    "C:\Users\Admin\AppData\Local\Temp\BUILT.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\XPLOIT.EXE
  "C:\Users\Admin\AppData\Local\Temp\XPLOIT.EXE"
  2⤵
  - Executes dropped EXE
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XPLOIT.EXE

Filesize
135KB

MD5
dbf80d65197b762c7089bfd295d2fc38

SHA1
662f6c5795dab723c07415c44b41eeeda98bc77c

SHA256
1c89b9a76d0d88d1c63f3fef31b6ec806681791ede444251ed7a3959cf18e230

SHA512
476f078c7a64112a03f4e190fe8d43cba7a885a4a72daaecd57700be2490d6261b3a2963188f12e36e51768b7c2112f64ed003d2345722270cd4758bde122f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17442\pyinstaller-5.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\Desktop\XPloit.exe

Filesize
18.6MB

MD5
bb2ef742beac994d93804ffd0f5e25a9

SHA1
ca276708b744d244b4e1dc897eb707869e681c34

SHA256
54a08d439e0024aaa094b8bc9360672c6d7c09d800548a72efdc3ac6a11fe151

SHA512
fc79e068d5953ef62d60d8741896661be482b89816e9a7430151f6040ebfd3a48df649c596903017781bfa3febc8d2460ad53f83348db740341f54a093f27122

Download Submit
\Users\Admin\AppData\Local\Temp\BUILT.EXE

Filesize
17.8MB

MD5
85a20b1130f97555855654ebad623678

SHA1
eceb6b17e5115ed302193ecdc4e80cf362ba086e

SHA256
23b550ae22c1849ae209562e61ed13f6411532c8d9655c5c012641b14004de4b

SHA512
0bc80d39de5b4a29366c15726010986c312634c774727e6cfc842a36437e5b0a5edf6e151f73b80f17bcee43c215bcafc6b50d2069c61ee1146b87291d3a4083

Download Submit
memory/1756-268-0x000007FEF6110000-0x000007FEF657E000-memory.dmp

Filesize
4.4MB

Download
memory/2816-271-0x0000000000400000-0x00000000016AA000-memory.dmp

Filesize
18.7MB

Download
memory/2816-492-0x0000000000400000-0x00000000016AA000-memory.dmp

Filesize
18.7MB

Download
memory/2964-267-0x000007FEF6580000-0x000007FEF69EE000-memory.dmp

Filesize
4.4MB

Download

Resubmissions

Analysis

Sharing