General

  • Target

    a6edb35e458af95747a570b56623acbd

  • Size

    1.2MB

  • Sample

    240226-v3mrasbg38

  • MD5

    a6edb35e458af95747a570b56623acbd

  • SHA1

    fba5eb34eb11e95534abd0d8b967585a731a0ad6

  • SHA256

    c980f4fbc08076d2f1f836c0f1712227db8d91c465693bcb48e3072b80650293

  • SHA512

    b476ad02ffbb79998c3f82ffd594fba65266e9cee35749ceccb5c4cdc33c933b14eb4827d46fd3c1f1bd13131750fc70561b80e89dfd6486e5ce2da38ea805a4

  • SSDEEP

    24576:6wAcu99lPzvxP+Bsz2XjWTRMQckkIXn3kr62kqc7dhcIw6HMsjNsohlbd:lAcIzpP+hickkI33kr62kn7dhc56HbjZ

Malware Config

Targets

    • Target

      a6edb35e458af95747a570b56623acbd

    • Size

      1.2MB

    • MD5

      a6edb35e458af95747a570b56623acbd

    • SHA1

      fba5eb34eb11e95534abd0d8b967585a731a0ad6

    • SHA256

      c980f4fbc08076d2f1f836c0f1712227db8d91c465693bcb48e3072b80650293

    • SHA512

      b476ad02ffbb79998c3f82ffd594fba65266e9cee35749ceccb5c4cdc33c933b14eb4827d46fd3c1f1bd13131750fc70561b80e89dfd6486e5ce2da38ea805a4

    • SSDEEP

      24576:6wAcu99lPzvxP+Bsz2XjWTRMQckkIXn3kr62kqc7dhcIw6HMsjNsohlbd:lAcIzpP+hickkI33kr62kn7dhc56HbjZ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Nirsoft

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks