General

  • Target

    Blackkomet.exe

  • Size

    756KB

  • Sample

    240506-wwf6lsdc3y

  • MD5

    c7dcd585b7e8b046f209052bcd6dd84b

  • SHA1

    604dcfae9eed4f65c80a4a39454db409291e08fa

  • SHA256

    0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

  • SHA512

    c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

  • SSDEEP

    12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

Malware Config

Targets

    • Target

      Blackkomet.exe

    • Size

      756KB

    • MD5

      c7dcd585b7e8b046f209052bcd6dd84b

    • SHA1

      604dcfae9eed4f65c80a4a39454db409291e08fa

    • SHA256

      0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

    • SHA512

      c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

    • SSDEEP

      12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks