General

  • Target

    a975c97d72bbaf38dd2500653721ec7a6d85153ddb6cba2a33cd6a009dad1ab2

  • Size

    452KB

  • Sample

    221205-lmjv2abf7w

  • MD5

    95338d4bf0749e280fb3dd156c173e65

  • SHA1

    18e760995c269c6f052c476cda1e981df13828ec

  • SHA256

    a975c97d72bbaf38dd2500653721ec7a6d85153ddb6cba2a33cd6a009dad1ab2

  • SHA512

    a4cccd475eebba68bb2a36d819435bf83fabd7d6741dd51a794879dad88594e676a7d5542e7be0c04ee4476d1bb2743fd3238c1227b207e1dcd3dcf09c442533

  • SSDEEP

    6144:fcV+uhsCuKQ+FD+TG1hPApaKYoCG9+ExwPIGFGZgH/Rgy/eQq3EK42Nlw3Zp/7US:fyTuKQyD+TKSBwA2ZgbQqAH4G2htZm

Malware Config

Targets

    • Target

      a975c97d72bbaf38dd2500653721ec7a6d85153ddb6cba2a33cd6a009dad1ab2

    • Size

      452KB

    • MD5

      95338d4bf0749e280fb3dd156c173e65

    • SHA1

      18e760995c269c6f052c476cda1e981df13828ec

    • SHA256

      a975c97d72bbaf38dd2500653721ec7a6d85153ddb6cba2a33cd6a009dad1ab2

    • SHA512

      a4cccd475eebba68bb2a36d819435bf83fabd7d6741dd51a794879dad88594e676a7d5542e7be0c04ee4476d1bb2743fd3238c1227b207e1dcd3dcf09c442533

    • SSDEEP

      6144:fcV+uhsCuKQ+FD+TG1hPApaKYoCG9+ExwPIGFGZgH/Rgy/eQq3EK42Nlw3Zp/7US:fyTuKQyD+TKSBwA2ZgbQqAH4G2htZm

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks