General

  • Target

    6483a476f5b7fc226ac141517cb43fdd

  • Size

    699KB

  • Sample

    240118-fhegvsdfe9

  • MD5

    6483a476f5b7fc226ac141517cb43fdd

  • SHA1

    e41fead8eed9dea0aae4cd8606169a0afbfe3f3d

  • SHA256

    6bcd9c12a11ab521d389bf16ece110af87bda26bff0068ec76e27bd9225c17e8

  • SHA512

    b0e88844e633e3defd37e3b052090bf873ffa5112bc89a9231229c3f2c9edadad73e21407f204491ddd2f38ef7ce79741813da681b3261bfec3240851e5971d0

  • SSDEEP

    12288:T2CoAv9i6/nmFmMPMj2hBLlUzBmug3+XCqyusCedzUs2CsL:Smv86/nmFmu9FujCXCedRQ

Malware Config

Targets

    • Target

      6483a476f5b7fc226ac141517cb43fdd

    • Size

      699KB

    • MD5

      6483a476f5b7fc226ac141517cb43fdd

    • SHA1

      e41fead8eed9dea0aae4cd8606169a0afbfe3f3d

    • SHA256

      6bcd9c12a11ab521d389bf16ece110af87bda26bff0068ec76e27bd9225c17e8

    • SHA512

      b0e88844e633e3defd37e3b052090bf873ffa5112bc89a9231229c3f2c9edadad73e21407f204491ddd2f38ef7ce79741813da681b3261bfec3240851e5971d0

    • SSDEEP

      12288:T2CoAv9i6/nmFmMPMj2hBLlUzBmug3+XCqyusCedzUs2CsL:Smv86/nmFmu9FujCXCedRQ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks