Overview

overview

10

Static

static

10

040bb28f0c...e6.exe

windows7-x64

10

040bb28f0c...e6.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    040bb28f0c774940dbe3bc36655c5242dc34c5c18525cb8ced5ab762578faae6

  • Size

    647KB

  • Sample

    221020-lxbmeaged9

  • MD5

    7121ae7ca00cd408bc0005ee6cb4b1f1

  • SHA1

    f63696f88d9041f9cbf0e0ad390ab9eefb84c00e

  • SHA256

    040bb28f0c774940dbe3bc36655c5242dc34c5c18525cb8ced5ab762578faae6

  • SHA512

    1798cc3888307810d0c468c93996c45ac85c4e11282940757b02af2c4c9c65240db9e78719d08935e2b27eaea33cdfc67401b30f7c4712dc59b65f78a08835aa

  • SSDEEP

    12288:48UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixt:RUKoN0bUxgGa/pfBHDb+y1HgZ3

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Targets

    • Target

      040bb28f0c774940dbe3bc36655c5242dc34c5c18525cb8ced5ab762578faae6

    • Size

      647KB

    • MD5

      7121ae7ca00cd408bc0005ee6cb4b1f1

    • SHA1

      f63696f88d9041f9cbf0e0ad390ab9eefb84c00e

    • SHA256

      040bb28f0c774940dbe3bc36655c5242dc34c5c18525cb8ced5ab762578faae6

    • SHA512

      1798cc3888307810d0c468c93996c45ac85c4e11282940757b02af2c4c9c65240db9e78719d08935e2b27eaea33cdfc67401b30f7c4712dc59b65f78a08835aa

    • SSDEEP

      12288:48UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixt:RUKoN0bUxgGa/pfBHDb+y1HgZ3

    Score
    10/10
    darkcometevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks