General
-
Target
ZulaHax.exe
-
Size
659KB
-
Sample
220620-wcv6esgffk
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
Behavioral task
behavioral1
Sample
ZulaHax.exe
Resource
win7-20220414-en
Malware Config
Extracted
darkcomet
Sazan
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-5BJ61CT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hSQMSMbHss9o
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
ZulaHax.exe
-
Size
659KB
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-