General
-
Target
GHLDRO.exe
-
Size
13.7MB
-
Sample
210806-wxc69h5lyn
-
MD5
a8f3f22dda294b02f410ca95116a23bf
-
SHA1
413062e5f6a7ec6c23cb56fbb68c8984855e8a58
-
SHA256
64f87a54df363755339567ae103af89b64be18546b14b22b93610e0080c3793d
-
SHA512
a75fc1269444e2aff46a7901da89fd56b17120c56e4c7f89147a673e312dcc09366c9f16d3b4082f27a19a6f6aeed420c07112a5cbd04f8cd53d9792bb2ea711
Static task
static1
Behavioral task
behavioral1
Sample
GHLDRO.exe
Resource
win7v20210410
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-XJRH105
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7qC8eTvgaGxs
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdapt
Targets
-
-
Target
GHLDRO.exe
-
Size
13.7MB
-
MD5
a8f3f22dda294b02f410ca95116a23bf
-
SHA1
413062e5f6a7ec6c23cb56fbb68c8984855e8a58
-
SHA256
64f87a54df363755339567ae103af89b64be18546b14b22b93610e0080c3793d
-
SHA512
a75fc1269444e2aff46a7901da89fd56b17120c56e4c7f89147a673e312dcc09366c9f16d3b4082f27a19a6f6aeed420c07112a5cbd04f8cd53d9792bb2ea711
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-