darkcomet | c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631

General

Target

c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe
Size

1.7MB
MD5

0acfcded8b4ac12fe117a597f4f43724
SHA1

8fa8c7a9b601cf76a9ea487d4d94784d1914cbb6
SHA256

c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631
SHA512

20188ad19f995c350a5d22f92500db127616aad23d3cec5fb755ee8180a8518bb0d6ac29a39eef291212c36289dc16866a131655c16a8549eab76114bbe088c8
SSDEEP

24576:eP3k/Aj7n2VrfVd1XjxcMtXvUTNv8maGLM3TbNwBTS5susMj:ec/ACdvzDv+V5rLM3TpwBR3M

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 2 IoCs

pid	Process
2324	SIFRELI_DOSYA.EXE
2112	SIFRELI_DOSYA.exe

Loads dropped DLL 3 IoCs

pid	Process
764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe
764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe
2324	SIFRELI_DOSYA.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2112	2324	SIFRELI_DOSYA.EXE	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIFRELI_DOSYA.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SIFRELI_DOSYA.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeSecurityPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeTakeOwnershipPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeLoadDriverPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeSystemProfilePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeSystemtimePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeProfSingleProcessPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeIncBasePriorityPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeCreatePagefilePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeBackupPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeRestorePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeShutdownPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeDebugPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeSystemEnvironmentPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeChangeNotifyPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeRemoteShutdownPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeUndockPrivilege	2112	SIFRELI_DOSYA.exe
Token: SeManageVolumePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeImpersonatePrivilege	2112	SIFRELI_DOSYA.exe
Token: SeCreateGlobalPrivilege	2112	SIFRELI_DOSYA.exe
Token: 33	2112	SIFRELI_DOSYA.exe
Token: 34	2112	SIFRELI_DOSYA.exe
Token: 35	2112	SIFRELI_DOSYA.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2324	SIFRELI_DOSYA.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2324	764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe	31
PID 764 wrote to memory of 2324	764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe	31
PID 764 wrote to memory of 2324	764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe	31
PID 764 wrote to memory of 2324	764	c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe	31
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32
PID 2324 wrote to memory of 2112	2324	SIFRELI_DOSYA.EXE	32

C:\Users\Admin\AppData\Local\Temp\c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe
"C:\Users\Admin\AppData\Local\Temp\c4152f0e4d245d616b6ee3c8a21a3e3c94926a5083cedf607df014aca2f6a631.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\SIFRELI_DOSYA.EXE
  "C:\Users\Admin\AppData\Local\Temp\SIFRELI_DOSYA.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\SIFRELI_DOSYA.exe
    "C:\Users\Admin\AppData\Local\Temp\SIFRELI_DOSYA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SIFRELI_DOSYA.EXE

Filesize
1.7MB

MD5
bd7e1c6fc0ea3f735564d07474636da4

SHA1
3147bcbb6b2392e9804f7bf303ef2fd597a2a88d

SHA256
f2bd4a3c00942a5538eacc3d49adf379ad44b64091f26b5246c455d79332edbe

SHA512
63042e45cddcc82a857ab25cd9da2ddf3e5e2cc7c6425e5153ef0fb55e27b93052b62740b4570c84ed998afe0c061bf035b91f17411c1cc0e2d8aef0e9d864e1

Download Submit
memory/2112-15-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-21-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-35-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-33-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-29-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-28-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-25-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-23-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-19-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-17-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-36-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-37-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-38-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-39-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-40-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-41-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2112-42-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing