General
-
Target
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
-
Size
706KB
-
Sample
221125-jgqehsbd92
-
MD5
4f4b1fdf7716475598b85aa697bde79f
-
SHA1
75636e3ab42f9ce94d67ad10358fe6b0f155032c
-
SHA256
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
-
SHA512
63662fe4c6003c36d4482b08ef46257a13ebdae69b560f3360f5ff68d0c881fd6627cd0cc65a0dbba9a7e9cec89003de713d11347b7695d7068fd86b334c3101
-
SSDEEP
12288:7F1jyJiIb0ViydLd21typH/f980yy0EMZOJG9ZCWPYkpGYnRDQPdp+RQCdFawpYt:Xyh0VtJp39LywMLjPxpGYZqjGdF7pYt
Static task
static1
Behavioral task
behavioral1
Sample
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
Warbox Hack
rique.ddns.net:1509
rique.ddns.net:1510
DC_MUTEX-G286DKR
-
InstallPath
NETFramework\mscorsvw.exe
-
gencode
56z1nPkRsoaD
-
install
true
-
offline_keylogger
true
-
password
09012000
-
persistence
true
-
reg_key
mscorsvw
Targets
-
-
Target
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
-
Size
706KB
-
MD5
4f4b1fdf7716475598b85aa697bde79f
-
SHA1
75636e3ab42f9ce94d67ad10358fe6b0f155032c
-
SHA256
78317c1fab42ec5fac0910217b653200f6d57f9f1bae414fab61f0cf24ba1dec
-
SHA512
63662fe4c6003c36d4482b08ef46257a13ebdae69b560f3360f5ff68d0c881fd6627cd0cc65a0dbba9a7e9cec89003de713d11347b7695d7068fd86b334c3101
-
SSDEEP
12288:7F1jyJiIb0ViydLd21typH/f980yy0EMZOJG9ZCWPYkpGYnRDQPdp+RQCdFawpYt:Xyh0VtJp39LywMLjPxpGYZqjGdF7pYt
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-