General
-
Target
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
-
Size
449KB
-
Sample
221128-b378fsae4v
-
MD5
e10ca314d5cc8d7643aff2acd14b8696
-
SHA1
ff0e4023caa46ba078be0645c132b072a945d4f3
-
SHA256
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
-
SHA512
6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b
-
SSDEEP
6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q
Static task
static1
Behavioral task
behavioral1
Sample
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
darkcomet
tell
ddos.duia.ro:443
DCMIN_MUTEX-E61LPZQ
-
InstallPath
notepad.exe
-
gencode
STE5MstR9N7H
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Host process
Targets
-
-
Target
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
-
Size
449KB
-
MD5
e10ca314d5cc8d7643aff2acd14b8696
-
SHA1
ff0e4023caa46ba078be0645c132b072a945d4f3
-
SHA256
c2e9570d4fb83255487fb4e572b047592d2b0d1101c0499e5bed074385343f59
-
SHA512
6b0777d52ea3f4e96185ec826d4637fd4f32ae604eec05ee2a6e83ac28b85bbb7a1ecb1ed9d0eb5b2996243b6317c39ee995f5539ba06551e119dea7c163414b
-
SSDEEP
6144:59ts21gkJMMMyMEv1Goh7TJTX9sIsQkiFIk6/mFDe9Sqhq7nj/I0JIY7+qga:LtsiX2MFNgoRT1XasIk6CCVqA0Jd+q
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-