General

  • Target

    230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe.zip

  • Size

    343KB

  • Sample

    230710-jv525aab21

  • MD5

    b2eaf252765daab6176aed8447f47fd1

  • SHA1

    29f1cdc24af499736eb31e61721cb58889e981dc

  • SHA256

    d040394367cf46f1ec52457594169b02254d0b005b1116ae333b90f721965272

  • SHA512

    dde9a1d586d964e02434dd457072738ef67ed81f765eafb73bd262b3d74f0bbf0f2de422c9dadee971bf8cc6ed05d066ea68e891ef96933330915293eeeda8ce

  • SSDEEP

    6144:Ul78yfsGuNvWQTLEA+4DDpx2u8rsrJW06eY/+md/4LaVGrjCNg3Zuiir8F:iV7uNeQXv+4p13NZuV4oiiAF

Malware Config

Targets

    • Target

      230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe.exe

    • Size

      745KB

    • MD5

      c0e4f49d4ea30fe8e04fdba223b44f24

    • SHA1

      42d85163e18f35fd435b5f96a0bce10b8336b440

    • SHA256

      230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe

    • SHA512

      127923ce8310070ef1083b66f92ad5b7faeabb29f2540554fd833e6132d85478f55415344127760f04fe44a7ef8a0acd243d1dec5279510567a4a64777911abc

    • SSDEEP

      12288:w8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixB:pUKoN0bUxgGa/pfBHDb+y1HgZ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks