Overview

overview

10

Static

static

10

commet v3....et.exe

windows7-x64

7

commet v3....et.exe

windows10-2004-x64

7

commet v3....au.dll

windows7-x64

1

commet v3....au.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    commet v3.1.zip

  • Size

    39.5MB

  • Sample

    240526-tl9dascb8w

  • MD5

    dd32f58ae1e767118583e57ea9c0d108

  • SHA1

    1629f4145e073dc152327cb57d3a70d49b27916f

  • SHA256

    3030066111e07266a8f207b603869d70c0c2ccd4159ef979060500c1b931d146

  • SHA512

    ffda3299a0591ae1df56032475e384ffb83a8d70cd984ecf6dfc10e386ac9549d59aaa29878d151256c675d949ca29a6e23d091692092ae4da11bab963aa6585

  • SSDEEP

    786432:eVRndPJ5FNkiAWRIoP2qXyvWnk1XBHOECXqVWCaaE8qJG9S+:AndBbRAWRIoP2qXuW8VCXqVHaaEQA+

Score
10/10
empyreanpersistencepyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      commet v3.1/commet/commet-grabber/Commet.exe

    • Size

      38.8MB

    • MD5

      59f8e658cf34334dd88a8f67da31ba85

    • SHA1

      bddb50c2de10bd5a1d06c667e7b9c7cdd68fdd89

    • SHA256

      780329f1842fdde4f7a215ea3c597d5c90e969d538756bb837fa20af17f8947f

    • SHA512

      c56ccdbdd3d803c3763505bef40258a9c9c10f03f92490c21226e39aa628a1a081664d26543db6007f25d1650233d45c37c327e3ba77df95e2ba57680e3deee5

    • SSDEEP

      786432:yPLFXNfh50sQhEwLuDtQPux6F2Bf5aFMR8DoewQW650F:2LFdJ5QhE8uDtquGhMR8DdwQW7

    Score
    7/10
    pyinstallerupxpersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      commet v3.1/commet/commet-grabber/bin/incognito-luau.dll

    • Size

      1.3MB

    • MD5

      157fd035b2a344a94166d7db3756df0e

    • SHA1

      f221d28c1deb80b4e8d9201226435aefce6b0f75

    • SHA256

      8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009

    • SHA512

      fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d

    • SSDEEP

      24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks