General
-
Target
Purchase Order 461.exe
-
Size
2.0MB
-
Sample
210917-qszwnaafaq
-
MD5
f88cdbcb740a75972cfef27692239991
-
SHA1
fcdaed8c771069c111afb78bd1d2ebaeb28a6688
-
SHA256
b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352
-
SHA512
44265899cd6915a0c637496598b1110f81a3a1a42d5c2c77137bb7745663335f0dc48fa184632226d18294da23a354780009386d6dd6613ad605b5021ff1d8b3
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 461.exe
Resource
win7-en-20210916
Behavioral task
behavioral2
Sample
Purchase Order 461.exe
Resource
win10v20210408
Malware Config
Extracted
darkcomet
SeptemBER 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-6JQTXC0
-
gencode
cVaduGzs7zFu
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
Purchase Order 461.exe
-
Size
2.0MB
-
MD5
f88cdbcb740a75972cfef27692239991
-
SHA1
fcdaed8c771069c111afb78bd1d2ebaeb28a6688
-
SHA256
b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352
-
SHA512
44265899cd6915a0c637496598b1110f81a3a1a42d5c2c77137bb7745663335f0dc48fa184632226d18294da23a354780009386d6dd6613ad605b5021ff1d8b3
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-