General
-
Target
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
-
Size
1.5MB
-
Sample
221126-ckxjnshb2x
-
MD5
d538e0d54e60e10395575cad37ebe192
-
SHA1
2bbc96bfe9feaddd84a6e6b1fca1ebd2fc922313
-
SHA256
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
-
SHA512
506dcf8faaf245e2030d4a46e7385033f386c38adb73751493f534e126ce2afb656d0b4c4aa0919fb63d36d11f7724cd4f639f678ef185030a3497e74cb85d1c
-
SSDEEP
24576:Mtb20pkaCqT5TBWgNQ7aIqudDUo3IR9S2DIe6wMFZum5HKg6A:1Vg5tQ7a6QSxee5H75
Static task
static1
Behavioral task
behavioral1
Sample
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
BTC
zw23.hopper.pw:64202
DC_MUTEX-GGA8YL2
-
InstallPath
svchost\svchost.exe
-
gencode
lWvefMLzfSyz
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Host Process for Windows Services
Targets
-
-
Target
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
-
Size
1.5MB
-
MD5
d538e0d54e60e10395575cad37ebe192
-
SHA1
2bbc96bfe9feaddd84a6e6b1fca1ebd2fc922313
-
SHA256
7c5a0a556d1726082f301f91ce45bc500f67a7a0bfebe3946be777060368ffdc
-
SHA512
506dcf8faaf245e2030d4a46e7385033f386c38adb73751493f534e126ce2afb656d0b4c4aa0919fb63d36d11f7724cd4f639f678ef185030a3497e74cb85d1c
-
SSDEEP
24576:Mtb20pkaCqT5TBWgNQ7aIqudDUo3IR9S2DIe6wMFZum5HKg6A:1Vg5tQ7a6QSxee5H75
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-