General
-
Target
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478
-
Size
739KB
-
Sample
221123-vejdzagg85
-
MD5
4d3598646882b23eee497f413d1f7fb2
-
SHA1
368d6b9766b565dbd611a446921251fa65a2393c
-
SHA256
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478
-
SHA512
52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc
-
SSDEEP
12288:3JXwP/1klEfc+zI1a4yHKMA6/Ut7Jq1BCN5N/BZ9Si7KFaqBQ:39I/iluzOadPACUt7Q1Cb/Bl7L
Static task
static1
Behavioral task
behavioral1
Sample
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
darkcomet
Guest16
endocomet.no-ip.biz:1604
DC_MUTEX-5W69PR6
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NK090aa72Gqo
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478
-
Size
739KB
-
MD5
4d3598646882b23eee497f413d1f7fb2
-
SHA1
368d6b9766b565dbd611a446921251fa65a2393c
-
SHA256
6f78c48123f052a1792189fc2b648c82813ecc56353bf5b74a863667152b4478
-
SHA512
52247a6279d998418d3192cc602d919744329bb9bf4f341b0e45e6fc7c9c6e70346f4ee37e77cb9c5171568cf4128d0ec59487dcbd3fa25ebdc83fea5fd29fdc
-
SSDEEP
12288:3JXwP/1klEfc+zI1a4yHKMA6/Ut7Jq1BCN5N/BZ9Si7KFaqBQ:39I/iluzOadPACUt7Q1Cb/Bl7L
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-