General

  • Target

    66032aec342c85d912e0f682e61cc57e

  • Size

    271KB

  • Sample

    240118-zpkr1ahahm

  • MD5

    66032aec342c85d912e0f682e61cc57e

  • SHA1

    464dfe3c7583cc220b873d2907802e42b6bbfbef

  • SHA256

    473e8c50cf9373499feaad7d20e43d6bbfd8dc6003b6a03d5f8eeee268ad3140

  • SHA512

    4ae423d3e88873ae14f8afce831f2b5fb1a7fb2c01f65ad25a3461ecf696e057871249a2c2cd8d9143c4c0ef76f5d3d0efa1fb06d094369b6bd2e02f570ac4a9

  • SSDEEP

    6144:jQqsvP4oaeNqL8v1wnLAfEZg4mLwZNWZ9sqkXW:IDaeoL8OEEZg5LwZYIqoW

Malware Config

Targets

    • Target

      66032aec342c85d912e0f682e61cc57e

    • Size

      271KB

    • MD5

      66032aec342c85d912e0f682e61cc57e

    • SHA1

      464dfe3c7583cc220b873d2907802e42b6bbfbef

    • SHA256

      473e8c50cf9373499feaad7d20e43d6bbfd8dc6003b6a03d5f8eeee268ad3140

    • SHA512

      4ae423d3e88873ae14f8afce831f2b5fb1a7fb2c01f65ad25a3461ecf696e057871249a2c2cd8d9143c4c0ef76f5d3d0efa1fb06d094369b6bd2e02f570ac4a9

    • SSDEEP

      6144:jQqsvP4oaeNqL8v1wnLAfEZg4mLwZNWZ9sqkXW:IDaeoL8OEEZg5LwZYIqoW

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks