General
-
Target
86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
-
Size
2.0MB
-
Sample
200629-qxzww1x966
-
MD5
27bfb34bccb3534fb28907887ce2d416
-
SHA1
735ff286a15378f58adc88eb874602ce40fa9876
-
SHA256
86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
-
SHA512
c94302184c872e9d31196020e70ce2234196f94e5c0f8cff035babd40f40a1db05e08bca4efeb7080be8b3985eb8606a3cab82a1e701b73b8a6c685cd1acb3b1
Static task
static1
Behavioral task
behavioral1
Sample
86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf.exe
Resource
win7
Malware Config
Extracted
darkcomet
GuDy
sysprocess.ddns.net:1605
mila031.ddns.net:1604
DC_MUTEX-9JVEVBK
-
InstallPath
chkdsk32.exe
-
gencode
QAMy2R5hRowG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
SecurityEssentials
Targets
-
-
Target
86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
-
Size
2.0MB
-
MD5
27bfb34bccb3534fb28907887ce2d416
-
SHA1
735ff286a15378f58adc88eb874602ce40fa9876
-
SHA256
86ab6a7f9d86cb1bb3ad5b55d788e785092177db39206f73bb23f6251d3c4baf
-
SHA512
c94302184c872e9d31196020e70ce2234196f94e5c0f8cff035babd40f40a1db05e08bca4efeb7080be8b3985eb8606a3cab82a1e701b73b8a6c685cd1acb3b1
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Program crash
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-