General
-
Target
dropmefiles.top_Nixware.exe
-
Size
756KB
-
Sample
210731-78c4ps4dc6
-
MD5
a599feb72860abcb8bd95d29aa7424b9
-
SHA1
9e1ded3db1863e13f6f9a443b3096567cf4108b3
-
SHA256
d64c2da29df9186c58c5fceb4b2f1dca1c3360c74a342f4a61227e9a97a79d0f
-
SHA512
40ae7c2516ba1ade6b42eefbbfd9552ae7c42921eb680e7abc001d86bbbebbe3258357b678c7ca2e4ae9ec21dc8fb54dfdc4d9d96728a1e24d78c1be8fd57a67
Malware Config
Extracted
darkcomet
Guest16
teposs.ddns.net:7764
DC_MUTEX-T8TS3MS
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
u2B4xQoge2Z5
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
dropmefiles.top_Nixware.exe
-
Size
756KB
-
MD5
a599feb72860abcb8bd95d29aa7424b9
-
SHA1
9e1ded3db1863e13f6f9a443b3096567cf4108b3
-
SHA256
d64c2da29df9186c58c5fceb4b2f1dca1c3360c74a342f4a61227e9a97a79d0f
-
SHA512
40ae7c2516ba1ade6b42eefbbfd9552ae7c42921eb680e7abc001d86bbbebbe3258357b678c7ca2e4ae9ec21dc8fb54dfdc4d9d96728a1e24d78c1be8fd57a67
-
Modifies WinLogon for persistence
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-