General

  • Target

    bd5acaf99683a50ae23b4b2ff8d7ca8a6c9b336f1025e3ce06825f3fa635f69a

  • Size

    1.1MB

  • Sample

    221203-gxlp6abb97

  • MD5

    c45df2ad5a30bf14b9a2ea08bbace08f

  • SHA1

    cce030b3ce2aadf6b95d9152accc54ee7fc53f74

  • SHA256

    bd5acaf99683a50ae23b4b2ff8d7ca8a6c9b336f1025e3ce06825f3fa635f69a

  • SHA512

    bc2f9842ecaaed03278a745714084b905e928d295314ea42ddb9470c8e90176cf94ed4bbe9c92228524e63c71238721f6ed4dee62c155ffea6b56a3aef6d853b

  • SSDEEP

    24576:rnqZZhmaItsCvugR2SQqOr5edCdcl5edCdc:rCTPItsCGgxQqcSxS

Malware Config

Targets

    • Target

      bd5acaf99683a50ae23b4b2ff8d7ca8a6c9b336f1025e3ce06825f3fa635f69a

    • Size

      1.1MB

    • MD5

      c45df2ad5a30bf14b9a2ea08bbace08f

    • SHA1

      cce030b3ce2aadf6b95d9152accc54ee7fc53f74

    • SHA256

      bd5acaf99683a50ae23b4b2ff8d7ca8a6c9b336f1025e3ce06825f3fa635f69a

    • SHA512

      bc2f9842ecaaed03278a745714084b905e928d295314ea42ddb9470c8e90176cf94ed4bbe9c92228524e63c71238721f6ed4dee62c155ffea6b56a3aef6d853b

    • SSDEEP

      24576:rnqZZhmaItsCvugR2SQqOr5edCdcl5edCdc:rCTPItsCGgxQqcSxS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks