General
-
Target
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52
-
Size
1.2MB
-
Sample
221127-l8tblahe35
-
MD5
6966f74e9d8f1a376ea379f9fcc206a2
-
SHA1
3686d3a9a07ed9f9bda256df9cd2e5604c84de2f
-
SHA256
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52
-
SHA512
0cf914ae8cf954000a526584c01028409188a19ed4b2910618ed458fa76e3fcf5f0df6fb32b8e9b256535f2d07ebee834c7e5357fd3e597b6803bbd0dd1e0336
-
SSDEEP
12288:C+0Qo6Vv9vkeeP2d+1bmXlZeGB3EHPiiyPP+Mxb1:C+0Z6Vdkeea+1i0iiyPFxZ
Static task
static1
Behavioral task
behavioral1
Sample
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
Infected
dcnew.ddns.net:1604
DC_MUTEX-R5E5D6N
-
InstallPath
WindowsDefencler\WindowsDefencler.exe
-
gencode
J8TDDtLHxoYC
-
install
true
-
offline_keylogger
true
-
password
00000
-
persistence
true
-
reg_key
WindowsDefencler
Targets
-
-
Target
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52
-
Size
1.2MB
-
MD5
6966f74e9d8f1a376ea379f9fcc206a2
-
SHA1
3686d3a9a07ed9f9bda256df9cd2e5604c84de2f
-
SHA256
f582179374bde1f836cb2d8f98f4d6de71e23bfa120d503a3a3eb8e0e9d6ac52
-
SHA512
0cf914ae8cf954000a526584c01028409188a19ed4b2910618ed458fa76e3fcf5f0df6fb32b8e9b256535f2d07ebee834c7e5357fd3e597b6803bbd0dd1e0336
-
SSDEEP
12288:C+0Qo6Vv9vkeeP2d+1bmXlZeGB3EHPiiyPP+Mxb1:C+0Z6Vdkeea+1i0iiyPFxZ
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-