General
-
Target
04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
-
Size
770KB
-
Sample
210911-ht553abbb7
-
MD5
2f087c02e5a65fc3a150ba96ddde8a0f
-
SHA1
d8b02d1cd0d582b93866ea2e2da10cb148828566
-
SHA256
04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
-
SHA512
86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd
Behavioral task
behavioral1
Sample
04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
Resource
win7v20210408
Malware Config
Extracted
darkcomet
Sazan
marbeyli.duckdns.org:1604
DC_MUTEX-D2KTVT9
-
InstallPath
MSDCSC\svchost.exe
-
gencode
iGJFx2jaJsy3
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
asyncrat
0.5.7B
Default
marbeyli.duckdns.org:6606
AsyncMutex_6SI8OkPnk
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
-
pastebin_config
null
Targets
-
-
Target
04C164391EFCEDD93B5C04DC137E8B80336265246FA15.exe
-
Size
770KB
-
MD5
2f087c02e5a65fc3a150ba96ddde8a0f
-
SHA1
d8b02d1cd0d582b93866ea2e2da10cb148828566
-
SHA256
04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
-
SHA512
86b078abb4270864802f0056c5657c82c2f375472d821fd888aa0252c10e270cba8beb5bc5063236d7c1192ccf573d7df7dec83ddf753638e96aa6d06f5c0edd
-
Modifies WinLogon for persistence
-
Modifies system executable filetype association
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-