General
-
Target
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
-
Size
557KB
-
Sample
201108-7kfq9tbk4j
-
MD5
316ced1fc09909dff0b75efbd0da2ae0
-
SHA1
2d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
-
SHA256
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
-
SHA512
fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
Static task
static1
Behavioral task
behavioral1
Sample
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
2020okt999+++4
sandyclark255.hopto.org:1605
DC_MUTEX-D50H81E
-
InstallPath
word64l.exe
-
gencode
0zgSCfjSH24W
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
winworde
Targets
-
-
Target
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
-
Size
557KB
-
MD5
316ced1fc09909dff0b75efbd0da2ae0
-
SHA1
2d5cb13b6c956f8a7b6307d7f629a56117d2d9ee
-
SHA256
3b93bbc5e1fe38dd279812cc19777eea51faf580c97d1713e8c54448f949647d
-
SHA512
fca713a6489bf4d87be23d9fbc6e9aa6fccf8a6329d1abed6e2e28bf2286f2fd78486cd77111eabed293f29fac81bfa1fbd9c8f9ebdb1452cd5af9eb41bdd5ad
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-