General
-
Target
svshost.bin
-
Size
4.0MB
-
Sample
220711-pndl7ahafj
-
MD5
2df0daacf8be5126ddbaa7ba9a83be58
-
SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3
-
SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a
-
SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e
Static task
static1
Behavioral task
behavioral1
Sample
svshost.exe
Resource
win7-20220414-en
Malware Config
Extracted
darkcomet
Guest16
gameservice.ddns.net:4320
DC_MUTEX-WBUNVXD
-
InstallPath
AudioDriver\taskhost.exe
-
gencode
EWSsWwgyJrUD
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AudioDriver
Targets
-
-
Target
svshost.bin
-
Size
4.0MB
-
MD5
2df0daacf8be5126ddbaa7ba9a83be58
-
SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3
-
SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a
-
SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-