General
-
Target
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
-
Size
732KB
-
Sample
210921-kh5q9sghf2
-
MD5
a1c0d1485d1f2ac0d660ea28502e79ae
-
SHA1
fcd8a01e7c022c086747a680bb8995f9279aaa8c
-
SHA256
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
-
SHA512
d44e3ecaefe8012aeaf5b3b4adf0d4aa6e2b9cf4565960def0c665d6294f7b21fa006a8d99b4e847b2a2f8eb0e9981bc4ce2f2f377541e53d84295b94108ad1f
Behavioral task
behavioral1
Sample
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe
Resource
win7v20210408
Malware Config
Extracted
darkcomet
Sazan
marbeyli.ddns.net:443
DC_MUTEX-WF3HSVR
-
InstallPath
MSDCSC\svchost.exe
-
gencode
CTg6jh11p8Xh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
marbeyli.ddns.net:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Targets
-
-
Target
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
-
Size
732KB
-
MD5
a1c0d1485d1f2ac0d660ea28502e79ae
-
SHA1
fcd8a01e7c022c086747a680bb8995f9279aaa8c
-
SHA256
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
-
SHA512
d44e3ecaefe8012aeaf5b3b4adf0d4aa6e2b9cf4565960def0c665d6294f7b21fa006a8d99b4e847b2a2f8eb0e9981bc4ce2f2f377541e53d84295b94108ad1f
-
Modifies WinLogon for persistence
-
Async RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-