General

  • Target

    a6bdb07a3e067cf92ed8335f686e00a3

  • Size

    5.8MB

  • Sample

    240226-tcf1dshh94

  • MD5

    a6bdb07a3e067cf92ed8335f686e00a3

  • SHA1

    cdd5aab5db2622ff4e778a0701eaaa6f42b20b6d

  • SHA256

    24c02b9013f5418709e591ad0f5b3fe09dc41d74959ae565504561e8cc52b851

  • SHA512

    c4a1bd5da2f2c7ab0e4686c1df3a2afe14653285b3b338f927330530f2e2fa30041eaed79ec604f4de0d0489ced8b8922f8cb7086ed96c3c56e94d26299a9af1

  • SSDEEP

    98304:nMMb3SipGhW9AzkjL7vIpoPWiEv4rs9gQ54jhE:nFb3SwGhCnv7vIn/WQqhE

Malware Config

Targets

    • Target

      a6bdb07a3e067cf92ed8335f686e00a3

    • Size

      5.8MB

    • MD5

      a6bdb07a3e067cf92ed8335f686e00a3

    • SHA1

      cdd5aab5db2622ff4e778a0701eaaa6f42b20b6d

    • SHA256

      24c02b9013f5418709e591ad0f5b3fe09dc41d74959ae565504561e8cc52b851

    • SHA512

      c4a1bd5da2f2c7ab0e4686c1df3a2afe14653285b3b338f927330530f2e2fa30041eaed79ec604f4de0d0489ced8b8922f8cb7086ed96c3c56e94d26299a9af1

    • SSDEEP

      98304:nMMb3SipGhW9AzkjL7vIpoPWiEv4rs9gQ54jhE:nFb3SwGhCnv7vIn/WQqhE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks