General
-
Target
Payment 831.exe
-
Size
2.1MB
-
Sample
210404-8sd2rmtbdn
-
MD5
90f1582eb4aa8c5db832919e5e475fc5
-
SHA1
bbc4d5e90346af2ec03f7ec4af33a728108818a3
-
SHA256
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
-
SHA512
37cd15caa53b047036334cf5b19ffaf7fc94aa32d4dc8648c2fe0c1bd623e332f70778b2bb59c3aeaf0f6ba5cae6fa1c1a360780e1c7d29e4be4a4d9ab459b43
Static task
static1
Behavioral task
behavioral1
Sample
Payment 831.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment 831.exe
Resource
win10v20201028
Malware Config
Extracted
darkcomet
April 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-L1TFBNC
-
gencode
PvcfTTVpBSKd
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Payment 831.exe
-
Size
2.1MB
-
MD5
90f1582eb4aa8c5db832919e5e475fc5
-
SHA1
bbc4d5e90346af2ec03f7ec4af33a728108818a3
-
SHA256
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
-
SHA512
37cd15caa53b047036334cf5b19ffaf7fc94aa32d4dc8648c2fe0c1bd623e332f70778b2bb59c3aeaf0f6ba5cae6fa1c1a360780e1c7d29e4be4a4d9ab459b43
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-