General
-
Target
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa
-
Size
751KB
-
Sample
221126-snvggsgb6y
-
MD5
4a28946dd4a3270bffab291cff7a4af0
-
SHA1
35327c65e06cb68823834791bb42b3886b3d4941
-
SHA256
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa
-
SHA512
94330ff3a19b9065873b24472cc2896d2dfc134df5af718f9cfc5b5d23f607114396db38f2c67d604b6f2225b570319331b395eb73bd3a264c902368a6ce22b1
-
SSDEEP
12288:9uQy3/4W9AbG1SclUosPqCVmPtbiA71K+Y1e2kPNw4Bo7uS1PziLeGqtnCDk:UQyP4W9AbD0Js5cVC+SXkPRquS164C
Behavioral task
behavioral1
Sample
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
darkcomet
darkcomet_tom
lizzerdminecraft.no-ip.biz:246
DCMIN_MUTEX-T1G1FP3
-
gencode
h9nRHuFJSttf
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa
-
Size
751KB
-
MD5
4a28946dd4a3270bffab291cff7a4af0
-
SHA1
35327c65e06cb68823834791bb42b3886b3d4941
-
SHA256
3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa
-
SHA512
94330ff3a19b9065873b24472cc2896d2dfc134df5af718f9cfc5b5d23f607114396db38f2c67d604b6f2225b570319331b395eb73bd3a264c902368a6ce22b1
-
SSDEEP
12288:9uQy3/4W9AbG1SclUosPqCVmPtbiA71K+Y1e2kPNw4Bo7uS1PziLeGqtnCDk:UQyP4W9AbD0Js5cVC+SXkPRquS164C
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-