General
-
Target
6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
-
Size
349KB
-
Sample
220726-lfbwvabef8
-
MD5
a95e3e4dbedcc98e826cc682ef8b3fd6
-
SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e
-
SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
-
SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5
Behavioral task
behavioral1
Sample
6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Resource
win7-20220715-en
Malware Config
Extracted
darkcomet
22
kvejo991.ddns.net:1604
DC_MUTEX-B50G4BJ
-
InstallPath
MSDCSC\explorer.exe
-
gencode
JLac09ou37rj
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
explorer
Targets
-
-
Target
6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
-
Size
349KB
-
MD5
a95e3e4dbedcc98e826cc682ef8b3fd6
-
SHA1
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e
-
SHA256
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
-
SHA512
b73e4c4834e0b9de45c0efa8d589264e06b5f858bd393732fde1813c0d64ccc5e054625eaad5dd054f15d34e529d30a5505f84443e749640c5d68b00a8c4c4f5
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
2Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Disabling Security Tools
2Hidden Files and Directories
2