General
-
Target
75cfd0a0c8b9bc3f741e0963ab00d5c7.exe
-
Size
1.4MB
-
Sample
220831-sgqjyshfg2
-
MD5
75cfd0a0c8b9bc3f741e0963ab00d5c7
-
SHA1
495477cdbadf5c7ba26c7e8e2903ce6534b15e32
-
SHA256
daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497
-
SHA512
3d41c848394f5dfe1c6a2bbd31e13d221938a3d5c5e0091609348f15b0d3b293329c00ff32da02ee8d8bc3d3f5483266dfccfa5e6e6523f6e0261ff9ac3f7ebb
-
SSDEEP
24576:TAwLuc7VRctRRm/vqQIbwGiYEX3PuOobtnLtd/uo34qFlLBxC:MwLuestsvrCAWlbtLtNu8n
Static task
static1
Behavioral task
behavioral1
Sample
75cfd0a0c8b9bc3f741e0963ab00d5c7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
75cfd0a0c8b9bc3f741e0963ab00d5c7.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
Guest16
185.140.53.117:1985
DC_MUTEX-QFGHKXR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hW0MZpETNScR
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
lokibot
http://login-mail-server.s3rv.me/server/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
75cfd0a0c8b9bc3f741e0963ab00d5c7.exe
-
Size
1.4MB
-
MD5
75cfd0a0c8b9bc3f741e0963ab00d5c7
-
SHA1
495477cdbadf5c7ba26c7e8e2903ce6534b15e32
-
SHA256
daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497
-
SHA512
3d41c848394f5dfe1c6a2bbd31e13d221938a3d5c5e0091609348f15b0d3b293329c00ff32da02ee8d8bc3d3f5483266dfccfa5e6e6523f6e0261ff9ac3f7ebb
-
SSDEEP
24576:TAwLuc7VRctRRm/vqQIbwGiYEX3PuOobtnLtd/uo34qFlLBxC:MwLuestsvrCAWlbtLtNu8n
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-