General
-
Target
01c66de38b338395e4ebbd8f79444172c4481e59d487e69b5bce862513f5d426
-
Size
3.1MB
-
Sample
221123-y8sraafc3w
-
MD5
75096253075bc97cd02e5366d5a900f1
-
SHA1
42391942a79e1ee53c79374318628be8a9ef223e
-
SHA256
01c66de38b338395e4ebbd8f79444172c4481e59d487e69b5bce862513f5d426
-
SHA512
79bf8c2ef98215e03ecf62f0df9e7a6c9c49e2911bf7a73bcd106655af2cdd0cc3044b51bd7b0a8a0165dacd219ef665a292683041eac44fe6470a20aed7e2bf
-
SSDEEP
49152:JnGJphpAPfrFGG5ibvc/WSyXPz4JIaWTnMByU2okoc/5IesQIWhnI7NPJnc:JnGJfIfH5ic/LJyTnoA/5IS/S8
Static task
static1
Behavioral task
behavioral1
Sample
01c66de38b338395e4ebbd8f79444172c4481e59d487e69b5bce862513f5d426.exe
Resource
win7-20221111-en
Malware Config
Extracted
darkcomet
bot
beverkiss.duia.ro:87
DC_MUTEX-XVKLWPB
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
psfz2bEuE68Q
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
darkcomet
fo3
camfrogbot.ntdll.net:447
DC_MUTEX-54E3DUD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
KWHTBFC3LTQz
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
01c66de38b338395e4ebbd8f79444172c4481e59d487e69b5bce862513f5d426
-
Size
3.1MB
-
MD5
75096253075bc97cd02e5366d5a900f1
-
SHA1
42391942a79e1ee53c79374318628be8a9ef223e
-
SHA256
01c66de38b338395e4ebbd8f79444172c4481e59d487e69b5bce862513f5d426
-
SHA512
79bf8c2ef98215e03ecf62f0df9e7a6c9c49e2911bf7a73bcd106655af2cdd0cc3044b51bd7b0a8a0165dacd219ef665a292683041eac44fe6470a20aed7e2bf
-
SSDEEP
49152:JnGJphpAPfrFGG5ibvc/WSyXPz4JIaWTnMByU2okoc/5IesQIWhnI7NPJnc:JnGJfIfH5ic/LJyTnoA/5IS/S8
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-