General
-
Target
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae
-
Size
1.2MB
-
Sample
221126-clzenaea22
-
MD5
ad4e2774b2931257963ef9412ee8c859
-
SHA1
ded268e93c4e856f32bf7d9ae91530063a5fb35a
-
SHA256
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae
-
SHA512
49f0e9477dccb7eba0079da7a969e97960ff6c88558fee33060be9fd2258589c6ed38f2ce0a08a99a10d8d1a804f6d0d90d748da68607cf855a979cef9536ca4
-
SSDEEP
24576:IhkL1xAjyblhDSrXx7Y0OryiCzQ7+DqKt1ihZl+UGWImbvZrDBS:wkL1eybl1Sr16rylzE6qKfihr+UGWImb
Behavioral task
behavioral1
Sample
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
darkcomet
SA-MP Players
xp.noip.me:1604
xp1.noip.me:1604
xp2.noip.me:1604
xp3.noip.me:1604
xp4.noip.me:1604
xp5.noip.me:1604
xp.noip.me:1605
xp1.noip.me:1605
xp2.noip.me:1605
xp3.noip.me:1605
xp4.noip.me:1605
xp5.noip.me:1605
DC_MUTEX-QF340FQ
-
InstallPath
system\update.exe
-
gencode
42zcgVwM0zh1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae
-
Size
1.2MB
-
MD5
ad4e2774b2931257963ef9412ee8c859
-
SHA1
ded268e93c4e856f32bf7d9ae91530063a5fb35a
-
SHA256
4a485db03e2ee5ab14422d0617c17c6f4b04e4162e32dd9e09e32ddf8d45e6ae
-
SHA512
49f0e9477dccb7eba0079da7a969e97960ff6c88558fee33060be9fd2258589c6ed38f2ce0a08a99a10d8d1a804f6d0d90d748da68607cf855a979cef9536ca4
-
SSDEEP
24576:IhkL1xAjyblhDSrXx7Y0OryiCzQ7+DqKt1ihZl+UGWImbvZrDBS:wkL1eybl1Sr16rylzE6qKfihr+UGWImb
-
Modifies WinLogon for persistence
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-