General
-
Target
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
-
Size
1.2MB
-
Sample
221128-mphw7acd2v
-
MD5
3e7390c3eeeb28cb18eaa5b7f682b0da
-
SHA1
9d8401994e982e037a4e395faf1597cb76470171
-
SHA256
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
-
SHA512
4cc01a3b5629a8d029ebcda3f5f514f4da235edd554306640d200eb522c5909c7a2944fb85993ebfd2d4a63451507a32b4907c15551ffe0b0820fe0d1c8d65fc
-
SSDEEP
24576:I0QtqBorTlYWBhE+V3mO20zwt/l1SRKgZ2eS:I7tqFWM4mNWI
Static task
static1
Behavioral task
behavioral1
Sample
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04.exe
Resource
win7-20220812-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
nickflip2009@gmail.com - Password:
nick5501
Extracted
darkcomet
Slaves
nickflip2015.no-ip.org:1604
10.0.0.75:1604
DC_MUTEX-D8AZQWD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HhJKioBtXipk
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
-
Size
1.2MB
-
MD5
3e7390c3eeeb28cb18eaa5b7f682b0da
-
SHA1
9d8401994e982e037a4e395faf1597cb76470171
-
SHA256
59ee343c2509ff9b795bba287ac8763cb0a059058945a9d8a4e7033e46299e04
-
SHA512
4cc01a3b5629a8d029ebcda3f5f514f4da235edd554306640d200eb522c5909c7a2944fb85993ebfd2d4a63451507a32b4907c15551ffe0b0820fe0d1c8d65fc
-
SSDEEP
24576:I0QtqBorTlYWBhE+V3mO20zwt/l1SRKgZ2eS:I7tqFWM4mNWI
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-