General
-
Target
648b86a010f142c2acf60a108564011860a47a21d44285af4f6f56ecc79f4bac
-
Size
1.3MB
-
Sample
221128-wdcepsdd67
-
MD5
310e3e424725c337340aa702d282f6be
-
SHA1
29787ca73e67ac6d7c3f69b32d2ba9fb9f2bd4f0
-
SHA256
648b86a010f142c2acf60a108564011860a47a21d44285af4f6f56ecc79f4bac
-
SHA512
d1a50df2e973618ebe20624206afa35acf2137bc967371172c49b964688205d71317fdb21d1fbd6c5ed96aeca429f020b5d02f17d5701fd5acb6f293cfec287d
-
SSDEEP
24576:L4qhhBAlGFf3pyKMzu7qx98AorMpOX+69BD71HZTo4FCKtoMi:L4qhhBA8F5y1398AovX+6b1HZE4FCKtJ
Static task
static1
Behavioral task
behavioral1
Sample
648b86a010f142c2acf60a108564011860a47a21d44285af4f6f56ecc79f4bac.exe
Resource
win7-20220812-en
Malware Config
Extracted
darkcomet
Ez 15/02
daviswc.zapto.org:1211
DC_MUTEX-1P47F32
-
gencode
fvDZQsoQbRFd
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
648b86a010f142c2acf60a108564011860a47a21d44285af4f6f56ecc79f4bac
-
Size
1.3MB
-
MD5
310e3e424725c337340aa702d282f6be
-
SHA1
29787ca73e67ac6d7c3f69b32d2ba9fb9f2bd4f0
-
SHA256
648b86a010f142c2acf60a108564011860a47a21d44285af4f6f56ecc79f4bac
-
SHA512
d1a50df2e973618ebe20624206afa35acf2137bc967371172c49b964688205d71317fdb21d1fbd6c5ed96aeca429f020b5d02f17d5701fd5acb6f293cfec287d
-
SSDEEP
24576:L4qhhBAlGFf3pyKMzu7qx98AorMpOX+69BD71HZTo4FCKtoMi:L4qhhBA8F5y1398AovX+6b1HZE4FCKtJ
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-