General
-
Target
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
-
Size
659KB
-
Sample
210921-k5vvksbfdr
-
MD5
1d9b720db2f4e23c3502f1456f09b927
-
SHA1
a68034b6084112066cc02565dd519a23757c1b15
-
SHA256
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
-
SHA512
39cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
Behavioral task
behavioral1
Sample
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1.exe
Resource
win7-en-20210920
Malware Config
Extracted
darkcomet
Sazan
8.tcp.ngrok.io:13738
DC_MUTEX-RYGMJ3G
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1rG7r70RosbW
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
-
Size
659KB
-
MD5
1d9b720db2f4e23c3502f1456f09b927
-
SHA1
a68034b6084112066cc02565dd519a23757c1b15
-
SHA256
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
-
SHA512
39cf1a7b5d12dfb19439676e9d692cc4536cd04c22872ef67370759e34dfba805e52c38ee0a58420b265aa29d8c91c563936e9be90fd578fe2418cb3c389c3d1
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-