General
-
Target
c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
-
Size
308KB
-
Sample
221128-ymfvlace79
-
MD5
733874ca87d54ba711a1a366e9601261
-
SHA1
69fbaa4bb1f9f4b3736041f374d2f3f108672b38
-
SHA256
c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
-
SHA512
885524d4c8271fc1cc6daf6203abbcb182dcb349b8ddabe87d037a557a84be292a87747cb1271babcce0a51809523edb43cdc358cf8de07140292618b0c7de90
-
SSDEEP
6144:CcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQWBDhr3H:CcWkbgTYWnYnt/IDYhPLj
Behavioral task
behavioral1
Sample
c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf.exe
Resource
win7-20221111-en
Malware Config
Extracted
darkcomet
usb
192.168.1.1:1604
87.252.66.185:1604
192.168.1.4:1604
192.168.1.2:1604
192.168.1.3:1604
192.168.1.5:1604
DC_MUTEX-Z28DCY4
-
InstallPath
winlogon/winlogon.exe *32
-
gencode
FgFBfDLSxflB
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
winlogon.exe *32
Targets
-
-
Target
c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
-
Size
308KB
-
MD5
733874ca87d54ba711a1a366e9601261
-
SHA1
69fbaa4bb1f9f4b3736041f374d2f3f108672b38
-
SHA256
c13f35c0dc3c57838ad8166202fe4f1785bed9c8b13ea1c83a4f49c0809254cf
-
SHA512
885524d4c8271fc1cc6daf6203abbcb182dcb349b8ddabe87d037a557a84be292a87747cb1271babcce0a51809523edb43cdc358cf8de07140292618b0c7de90
-
SSDEEP
6144:CcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQWBDhr3H:CcWkbgTYWnYnt/IDYhPLj
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-