General
-
Target
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7
-
Size
550KB
-
Sample
220712-l5tsysdddj
-
MD5
bd6c3dfba3e67ea50e34fdcb449d0be6
-
SHA1
70d65fc8b984a2312ae19be499ae38de320f94b1
-
SHA256
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7
-
SHA512
db6489c768ca9aaf1d0eef45699f6f37b6616450b4496c82ae0de1c6a01111ea91e59e293c824d1cd0076341fce884729f4a1bbf84d82fdfe367be7f1d8a3f06
Static task
static1
Behavioral task
behavioral1
Sample
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
darkcomet
qlq
127.0.0.1:1604
alrdmh1.no-ip.info:1604
DC_MUTEX-SW2Y3F8
-
InstallPath
MSDCSC\ssms.exe
-
gencode
pqNMGaVpt3ZJ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7
-
Size
550KB
-
MD5
bd6c3dfba3e67ea50e34fdcb449d0be6
-
SHA1
70d65fc8b984a2312ae19be499ae38de320f94b1
-
SHA256
4b639b70d9414e1f754fab20ca28e785aeede026403949d997378d42dcb0fff7
-
SHA512
db6489c768ca9aaf1d0eef45699f6f37b6616450b4496c82ae0de1c6a01111ea91e59e293c824d1cd0076341fce884729f4a1bbf84d82fdfe367be7f1d8a3f06
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-