General
-
Target
9dd6aa8492f37d86fc48a53129be774d7516e11590eeb5ef57d2949f3640b5b0
-
Size
1.4MB
-
Sample
221128-tpqelaga65
-
MD5
2678e099d306f8d5b3f36ffcfe2188fd
-
SHA1
665919923d952296261426b3f30591f03096e3dd
-
SHA256
9dd6aa8492f37d86fc48a53129be774d7516e11590eeb5ef57d2949f3640b5b0
-
SHA512
c7bd86be7885fe24283aa06f62ffa535cfb8d97942da1260dfb37117cb8c126d854c93af9e3cc375644499a3e67a3dcd6dfa68dcadf487129c5b8e1d0df9af46
-
SSDEEP
24576:nWqnseROCQ2fUKVfDDeAPQL79hEZUcghKf+ZTEIfYNvYwu8OsfDRdph6NOQ0kOgo:Fs7CQcBDiAoHrEarhAXIfOYwuUwF/jU
Static task
static1
Behavioral task
behavioral1
Sample
9dd6aa8492f37d86fc48a53129be774d7516e11590eeb5ef57d2949f3640b5b0.exe
Resource
win7-20220812-en
Malware Config
Extracted
darkcomet
Ite 18/02
daviswc.zapto.org:1211
DC_MUTEX-GDFT72L
-
gencode
Xoe3LkQ008MU
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
9dd6aa8492f37d86fc48a53129be774d7516e11590eeb5ef57d2949f3640b5b0
-
Size
1.4MB
-
MD5
2678e099d306f8d5b3f36ffcfe2188fd
-
SHA1
665919923d952296261426b3f30591f03096e3dd
-
SHA256
9dd6aa8492f37d86fc48a53129be774d7516e11590eeb5ef57d2949f3640b5b0
-
SHA512
c7bd86be7885fe24283aa06f62ffa535cfb8d97942da1260dfb37117cb8c126d854c93af9e3cc375644499a3e67a3dcd6dfa68dcadf487129c5b8e1d0df9af46
-
SSDEEP
24576:nWqnseROCQ2fUKVfDDeAPQL79hEZUcghKf+ZTEIfYNvYwu8OsfDRdph6NOQ0kOgo:Fs7CQcBDiAoHrEarhAXIfOYwuUwF/jU
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-