General
-
Target
Payment 901.exe
-
Size
3.0MB
-
Sample
210105-yzt4ntsdrj
-
MD5
33d9370ab0c06bea92774b43d138f5b3
-
SHA1
cba894efb96a1ae3982a10363814366b478c39d7
-
SHA256
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
-
SHA512
573b5a9331b28ef6aaeaef616a89a05c70d478510141e636614f1dabfae290710cf620811dec90c8bcae3fc78ed26a6c4b317bbc08256cc4626ce7675ec3f7be
Static task
static1
Behavioral task
behavioral1
Sample
Payment 901.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 901.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
JANuary 2021
chrisle79.ddns.net:3317
jacknop79.ddns.net:3317
smath79.ddns.net:3317
whatis79.ddns.net:3317
goodgt79.ddns.net:3317
bonding79.ddns.net:3317
DC_MUTEX-X1VW1F7
-
gencode
U35l73tWGu8y
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Payment 901.exe
-
Size
3.0MB
-
MD5
33d9370ab0c06bea92774b43d138f5b3
-
SHA1
cba894efb96a1ae3982a10363814366b478c39d7
-
SHA256
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
-
SHA512
573b5a9331b28ef6aaeaef616a89a05c70d478510141e636614f1dabfae290710cf620811dec90c8bcae3fc78ed26a6c4b317bbc08256cc4626ce7675ec3f7be
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-