General
-
Target
Payment 381.exe
-
Size
3.1MB
-
Sample
210225-gk3kqfgm4s
-
MD5
3602f8e02342949364e8669e0c88f686
-
SHA1
8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5
-
SHA256
87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6
-
SHA512
c4368cf6fc0e76442f9e8ff812d4dea125ff61eee360085ccd870d8e11c57dec8d1c92cd310cfee58990f220236e06561424c48e84e743140923f7a15bca8890
Static task
static1
Behavioral task
behavioral1
Sample
Payment 381.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 381.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
FEBruary 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-ZKP4D0B
-
gencode
wb6TW2qCEdyf
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Payment 381.exe
-
Size
3.1MB
-
MD5
3602f8e02342949364e8669e0c88f686
-
SHA1
8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5
-
SHA256
87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6
-
SHA512
c4368cf6fc0e76442f9e8ff812d4dea125ff61eee360085ccd870d8e11c57dec8d1c92cd310cfee58990f220236e06561424c48e84e743140923f7a15bca8890
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-