General
-
Target
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
Size
253KB
-
Sample
220725-cnyadaafhp
-
MD5
19bc4cf35e9543073c59853085837019
-
SHA1
d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
-
SHA256
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
SHA512
033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
Behavioral task
behavioral1
Sample
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af.exe
Resource
win7-20220715-en
Malware Config
Extracted
darkcomet
Guest16
bdsm32.ddns.net:1604
bdsm32.ddns.net:27015
DC_MUTEX-0PJGSJG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oM938oV7BtsY
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
Size
253KB
-
MD5
19bc4cf35e9543073c59853085837019
-
SHA1
d86e8c0747c9a1de28f8f9242ac7a08049d7d7bc
-
SHA256
afb6012b92eaea693ffbb6ad9000d729fabadd44dab0da7d9b1386d4cfacf7af
-
SHA512
033a00f12bd0c035175594b742a10405109bdec8b8e07ba86cfcda7b141c4e2b5803446a86640ff89c89b42e0bcc73309da2d54d0311d8b2565bdc1f75d7a574
-
Modifies WinLogon for persistence
-
Modifies security service
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-