General
-
Target
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
Size
659KB
-
Sample
220521-a2n8hsebep
-
MD5
6ea013f9f0eb1aa74f82928a81ecffd1
-
SHA1
9c23422cfa55dea80866774ea16c019226175449
-
SHA256
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
SHA512
888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
Behavioral task
behavioral1
Sample
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b.exe
Resource
win7-20220414-en
Malware Config
Extracted
darkcomet
Sazan
0.tcp.ngrok.io:10277
DC_MUTEX-CYFYV25
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
834bxKalF1Bf
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
Size
659KB
-
MD5
6ea013f9f0eb1aa74f82928a81ecffd1
-
SHA1
9c23422cfa55dea80866774ea16c019226175449
-
SHA256
d37f9d1f9d0004a75a162841661fb825b12447aff4701f2dbd36abbf04ac965b
-
SHA512
888ef5266a4f761965aa176ddf7b8ae8b699f4b2ec7ab589679fad2f5fdd37b80da7d5d3290ed3f6ba1d29b60a338e7463e71f6c5e0ec7a491996977eda0eed5
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-