General
-
Target
6e9b8f371a012ec66e6f90c6cdcd4115e6bdfde35a84333d9bb54adbd34a0516
-
Size
553KB
-
Sample
221123-s6mvcsdb75
-
MD5
8b2b64f06215868b96106157353a0f08
-
SHA1
1772a263d62f448b1bc3cb22b24bf81f662f49c7
-
SHA256
6e9b8f371a012ec66e6f90c6cdcd4115e6bdfde35a84333d9bb54adbd34a0516
-
SHA512
d4e9593b3992f741295ef0f331670433762bf203eca3e31c4f87bd0fb12cbe1f157aad58d5b79fd7f183689a52f1a38bc51bc6f53328b74a0f340970557f37df
-
SSDEEP
12288:qRWNcr8oxnJXg0elfgWgPxqgqPgn/8v0fOwYh:ZNBIJX+ZgkPg/gYOwYh
Static task
static1
Behavioral task
behavioral1
Sample
6e9b8f371a012ec66e6f90c6cdcd4115e6bdfde35a84333d9bb54adbd34a0516.exe
Resource
win7-20220812-en
Malware Config
Extracted
darkcomet
Guest16
raidbomber.no-ip.org:1700
DC_MUTEX-EG9SQM8
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3y3wMVwFYYqF
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
6e9b8f371a012ec66e6f90c6cdcd4115e6bdfde35a84333d9bb54adbd34a0516
-
Size
553KB
-
MD5
8b2b64f06215868b96106157353a0f08
-
SHA1
1772a263d62f448b1bc3cb22b24bf81f662f49c7
-
SHA256
6e9b8f371a012ec66e6f90c6cdcd4115e6bdfde35a84333d9bb54adbd34a0516
-
SHA512
d4e9593b3992f741295ef0f331670433762bf203eca3e31c4f87bd0fb12cbe1f157aad58d5b79fd7f183689a52f1a38bc51bc6f53328b74a0f340970557f37df
-
SSDEEP
12288:qRWNcr8oxnJXg0elfgWgPxqgqPgn/8v0fOwYh:ZNBIJX+ZgkPg/gYOwYh
-
Modifies WinLogon for persistence
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-