General
-
Target
Mega_joiner.exe
-
Size
2.0MB
-
Sample
220817-pz24xsfffk
-
MD5
fa70cd866b1adbf3df6c6789bfae201e
-
SHA1
f97b81f64d2af855ab2f903af64ddfb1eeabd3e4
-
SHA256
0345f6737ce5fd92f26f52bc57b43139abe9bd32acab831644f4054c45bee75c
-
SHA512
b046c0a18f20531c008c0213f5b439531186903a3012b86489a1b3b0d582b5d7da90b695bbfccdbf597266804295d4dbd30eaab86607d2e169d094eb21b64f19
-
SSDEEP
49152:GnsHyjtk2MYC5GDbCUumo2R5G81p8AwUBj:Gnsmtk2aCCfL2RT1prJ
Malware Config
Extracted
darkcomet
Guest16
mrchamp.hopto.org:1604
DC_MUTEX-M70B9H0
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
RxDT39JFfM7e
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
Mega_joiner.exe
-
Size
2.0MB
-
MD5
fa70cd866b1adbf3df6c6789bfae201e
-
SHA1
f97b81f64d2af855ab2f903af64ddfb1eeabd3e4
-
SHA256
0345f6737ce5fd92f26f52bc57b43139abe9bd32acab831644f4054c45bee75c
-
SHA512
b046c0a18f20531c008c0213f5b439531186903a3012b86489a1b3b0d582b5d7da90b695bbfccdbf597266804295d4dbd30eaab86607d2e169d094eb21b64f19
-
SSDEEP
49152:GnsHyjtk2MYC5GDbCUumo2R5G81p8AwUBj:Gnsmtk2aCCfL2RT1prJ
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
XMRig Miner payload
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-