General

  • Target

    f175a4c17101843376c31e055083314a20b21f28c9a451aa159818463abd212b

  • Size

    427KB

  • Sample

    220725-r3k1xsafd3

  • MD5

    55df99a116a1369f7ad5748a8c82c6ae

  • SHA1

    c557457c271b7047df114672390c3ad4f0393b3a

  • SHA256

    f175a4c17101843376c31e055083314a20b21f28c9a451aa159818463abd212b

  • SHA512

    260a2728e38daff602cca99116ecdf2175210320b443895917de59d79885d49b96108f250871969e846881a42e7e2217b90e1d3e2486a14f1e2faae5f5b9d7cc

Malware Config

Targets

    • Target

      f175a4c17101843376c31e055083314a20b21f28c9a451aa159818463abd212b

    • Size

      427KB

    • MD5

      55df99a116a1369f7ad5748a8c82c6ae

    • SHA1

      c557457c271b7047df114672390c3ad4f0393b3a

    • SHA256

      f175a4c17101843376c31e055083314a20b21f28c9a451aa159818463abd212b

    • SHA512

      260a2728e38daff602cca99116ecdf2175210320b443895917de59d79885d49b96108f250871969e846881a42e7e2217b90e1d3e2486a14f1e2faae5f5b9d7cc

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Tasks