General

  • Target

    61c6858c5ecd6f8c83bc8d318d9f9c5f

  • Size

    349KB

  • Sample

    201117-cqz2kah5a6

  • MD5

    0983cb6fb6ca713e547893ef1c90c09d

  • SHA1

    766807324427b5a4ecc82c75d15be09d1695795d

  • SHA256

    7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

  • SHA512

    73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Malware Config

Targets

    • Target

      61c6858c5ecd6f8c83bc8d318d9f9c5f

    • Size

      349KB

    • MD5

      0983cb6fb6ca713e547893ef1c90c09d

    • SHA1

      766807324427b5a4ecc82c75d15be09d1695795d

    • SHA256

      7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

    • SHA512

      73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks