General
-
Target
918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
-
Size
1.3MB
-
Sample
221123-hl4x2ahf2v
-
MD5
5b4676c83b81c115e4213863027a8cd8
-
SHA1
c6ce3d2675c4fb5e160976ed0c1ee0ac7fdfda15
-
SHA256
918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
-
SHA512
5799829fe0fc921fa91f93573d5ddfb155ab04541260a3b864e9cc68dc6512c1fe348f844cac6db09e5666efcb540efb1a3f65d93677aedbade888196d87261d
-
SSDEEP
24576:PHwF8vrx52t07FQaWZ1xuVVjfFoynPaVBUR8f+kN10EBCvzR:PQF8vrYaKamQDgok30/bR
Behavioral task
behavioral1
Sample
918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59.exe
Resource
win7-20221111-en
Malware Config
Extracted
darkcomet
Guest16
big_hacker.no-ip.biz:76
DC_MUTEX-6MQJ6G6
-
InstallPath
SYS32\sys32.exe
-
gencode
V9HSzMovyRBL
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
cybergate
v3.4.2.2
remote
miecrosoft.servehttp.com:81
bighacker.no-ip.biz:99
BD8K6YUOG4TT2Q
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
nividia
-
install_file
nividia
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Targets
-
-
Target
918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
-
Size
1.3MB
-
MD5
5b4676c83b81c115e4213863027a8cd8
-
SHA1
c6ce3d2675c4fb5e160976ed0c1ee0ac7fdfda15
-
SHA256
918ab61f99a66af67e75300e4fb5b58fe6547bab2d5468cc57dc7a2146b40c59
-
SHA512
5799829fe0fc921fa91f93573d5ddfb155ab04541260a3b864e9cc68dc6512c1fe348f844cac6db09e5666efcb540efb1a3f65d93677aedbade888196d87261d
-
SSDEEP
24576:PHwF8vrx52t07FQaWZ1xuVVjfFoynPaVBUR8f+kN10EBCvzR:PQF8vrYaKamQDgok30/bR
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-