General

  • Target

    6f3c3f6bbb459a8e36d65a7fe4a51ebf

  • Size

    719KB

  • Sample

    240122-kreanschf3

  • MD5

    6f3c3f6bbb459a8e36d65a7fe4a51ebf

  • SHA1

    731821d3b0b5edeb62602a36218604967af6fc93

  • SHA256

    0bafca510e500e596b151845c382c5d651fcca07f0fcc4e607349df550d95da6

  • SHA512

    723a1b74452ec62140431f8bf97b0d3e5ddcf3bf52c03046ea56b3b4375e64d07725fb1ae298b78df06e2f864a1db4d794a4bb7d2375e064becf59569cb23b84

  • SSDEEP

    12288:Ymp2nLu2601AVt0P3jM8/wJLFzh5ZKQsf/A6AuTNIEQSWUWrEvWXnejiapL:Ympp01AjqjlSj5ifrPNZWRrEvWujiE

Malware Config

Targets

    • Target

      6f3c3f6bbb459a8e36d65a7fe4a51ebf

    • Size

      719KB

    • MD5

      6f3c3f6bbb459a8e36d65a7fe4a51ebf

    • SHA1

      731821d3b0b5edeb62602a36218604967af6fc93

    • SHA256

      0bafca510e500e596b151845c382c5d651fcca07f0fcc4e607349df550d95da6

    • SHA512

      723a1b74452ec62140431f8bf97b0d3e5ddcf3bf52c03046ea56b3b4375e64d07725fb1ae298b78df06e2f864a1db4d794a4bb7d2375e064becf59569cb23b84

    • SSDEEP

      12288:Ymp2nLu2601AVt0P3jM8/wJLFzh5ZKQsf/A6AuTNIEQSWUWrEvWXnejiapL:Ympp01AjqjlSj5ifrPNZWRrEvWujiE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks