General

  • Target

    5f331dedb2f42339dc2c63c37cbe0ad6c08284321dbd55e63ea962c34047c467

  • Size

    421KB

  • Sample

    221011-lafmvafgd3

  • MD5

    49db6b31edf8467024dd179caa0ef443

  • SHA1

    90feaac57268b744f6c4d241d0bcd0d9946f3159

  • SHA256

    5f331dedb2f42339dc2c63c37cbe0ad6c08284321dbd55e63ea962c34047c467

  • SHA512

    b285d5bc00917b1138e54f87209b10b46696f421a1e491b8f9c8e5949831cfdd1ff153582c2148a2e1594e06dc98ba84e91b6e7539539abd03d341045dcc159a

  • SSDEEP

    12288:LK3D4laCy90VxQsrlxrj3pbJrnGV5aj9:iVCy2xQsrPrj3BZGHa

Malware Config

Targets

    • Target

      5f331dedb2f42339dc2c63c37cbe0ad6c08284321dbd55e63ea962c34047c467

    • Size

      421KB

    • MD5

      49db6b31edf8467024dd179caa0ef443

    • SHA1

      90feaac57268b744f6c4d241d0bcd0d9946f3159

    • SHA256

      5f331dedb2f42339dc2c63c37cbe0ad6c08284321dbd55e63ea962c34047c467

    • SHA512

      b285d5bc00917b1138e54f87209b10b46696f421a1e491b8f9c8e5949831cfdd1ff153582c2148a2e1594e06dc98ba84e91b6e7539539abd03d341045dcc159a

    • SSDEEP

      12288:LK3D4laCy90VxQsrlxrj3pbJrnGV5aj9:iVCy2xQsrPrj3BZGHa

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks