General
-
Target
77da778ccaeff7f0d95047e74b0c502fa641fc5aec1d5b5fc720b3137a1404d2
-
Size
680KB
-
Sample
201109-qwakhekves
-
MD5
9a47446fa7fc71301cc90d5f4279a68d
-
SHA1
65106fd2cba8d691d882e3cb76428bfa8f3f5314
-
SHA256
77da778ccaeff7f0d95047e74b0c502fa641fc5aec1d5b5fc720b3137a1404d2
-
SHA512
0f24a563878423fe4417eb976110c53e0567c55759c588a2bee1671ec70568bd4bdaf6905decc63e67f85ca170f5c794d554b9540435f379bb156d73affae8e5
Static task
static1
Behavioral task
behavioral1
Sample
77da778ccaeff7f0d95047e74b0c502fa641fc5aec1d5b5fc720b3137a1404d2.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
25 - Username:
[email protected] - Password:
olade12ktie8us7
Extracted
darkcomet
lowi
fredchen.gotdns.ch:1604
fredchen.gotdns.ch:200
fredchen.gotdns.ch:21
fredchen.gotdns.ch:22
fredchen.gotdns.ch:23
fredchen.gotdns.ch:24
fredchen.gotdns.ch:25
fredchen.gotdns.ch:53
fredchen.gotdns.ch:52
fredchen.gotdns.ch:51
fredchen.gotdns.ch:50
fredchen.gotdns.ch:54
fredchen.gotdns.ch:55
fredchen.gotdns.ch:80
fredchen.gotdns.ch:81
fredchen.gotdns.ch:82
fredchen.gotdns.ch:83
fredchen.gotdns.ch:443
fredchen.gotdns.ch:110
fredchen.gotdns.ch:111
fredchen.gotdns.ch:112
fredchen.gotdns.ch:9001
fredchen.gotdns.ch:6880
fredchen.gotdns.ch:6881
fredchen.gotdns.ch:6882
fredchen.gotdns.ch:6883
fredchen.gotdns.ch:6884
fredchen.gotdns.ch:6885
fredchen.gotdns.ch:6886
fredchen.gotdns.ch:6887
fredchen.gotdns.ch:6888
fredchen.gotdns.ch:6889
fredchen.gotdns.ch:6890
fredchen.gotdns.ch:6891
fredchen.gotdns.ch:6892
fredchen.gotdns.ch:6893
fredchen.gotdns.ch:6894
fredchen.gotdns.ch:6895
fredchen.gotdns.ch:6896
fredchen.gotdns.ch:6897
fredchen.gotdns.ch:6898
fredchen.gotdns.ch:6899
fredchen.gotdns.ch:6900
DC_MUTEX-HK7QWNG
-
InstallPath
Driver\csrss.exe
-
gencode
uQ8Z9YNB2JTt
-
install
true
-
offline_keylogger
true
-
password
imperator
-
persistence
true
-
reg_key
Services
Targets
-
-
Target
77da778ccaeff7f0d95047e74b0c502fa641fc5aec1d5b5fc720b3137a1404d2
-
Size
680KB
-
MD5
9a47446fa7fc71301cc90d5f4279a68d
-
SHA1
65106fd2cba8d691d882e3cb76428bfa8f3f5314
-
SHA256
77da778ccaeff7f0d95047e74b0c502fa641fc5aec1d5b5fc720b3137a1404d2
-
SHA512
0f24a563878423fe4417eb976110c53e0567c55759c588a2bee1671ec70568bd4bdaf6905decc63e67f85ca170f5c794d554b9540435f379bb156d73affae8e5
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-