General
-
Target
Trojan-Ransom.Win32.Blocker.hrft-5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
-
Size
339KB
-
Sample
221106-3q6yeaaedq
-
MD5
7f193864875f86617fb274d491605645
-
SHA1
1374a7958b0c596edea03f681402fd3103b233ba
-
SHA256
5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
-
SHA512
059bb16deb70152c58314381102dd25e52f53090fcf5f88430bbe953df4e686ee9708316de52944a02e002b7fb99ccc70fa6a2413fd5907d78d52891fcb16492
-
SSDEEP
6144:AUxA/K7GWMXqLj3BtP6J6TCDEVERm6m35RAzi702eOOaQ/hluADpfO:AUxseGWMXOttP60CDmI9651702eAufO
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win7-20220812-en
Malware Config
Extracted
darkcomet
VIC
tigerbait.no-ip.org:200
DC_MUTEX-RTR47PT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
aYkU1NxKaQm1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundll32
Targets
-
-
Target
Trojan-Ransom.Win32.Blocker.hrft-5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
-
Size
339KB
-
MD5
7f193864875f86617fb274d491605645
-
SHA1
1374a7958b0c596edea03f681402fd3103b233ba
-
SHA256
5801b953d771af5f71d5f972cc9143b49116a562b7e3c884cca167dac043cc3d
-
SHA512
059bb16deb70152c58314381102dd25e52f53090fcf5f88430bbe953df4e686ee9708316de52944a02e002b7fb99ccc70fa6a2413fd5907d78d52891fcb16492
-
SSDEEP
6144:AUxA/K7GWMXqLj3BtP6J6TCDEVERm6m35RAzi702eOOaQ/hluADpfO:AUxseGWMXOttP60CDmI9651702eAufO
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-