General
-
Target
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5
-
Size
782KB
-
Sample
221130-t8knfsbb51
-
MD5
b7414bc01b68b41bb590f386f3ef043b
-
SHA1
c2bcba593bb92ed31f62722a5092ce213ac597f5
-
SHA256
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5
-
SHA512
d8f62814f09388317c3ee6ac2ad3b5cec9d81918d75d8f40384432b844f4610b399862d02c4cc1ea8a3d83a177714a24ab77837249490f4a16e078fcbb998f8c
-
SSDEEP
24576:U51bZcLt7bY+oKJdi8vwIu2+Io4BermnaCM3GMm8Kw:Q1CffdPwIuWoMeC3M3GMma
Static task
static1
Behavioral task
behavioral1
Sample
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
Victima
zxcasdqwe.no-ip.org:1604
DC_MUTEX-TCE2J14
-
InstallPath
Firewall\Update.exe
-
gencode
Pf1DBL8v2es4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Update
Targets
-
-
Target
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5
-
Size
782KB
-
MD5
b7414bc01b68b41bb590f386f3ef043b
-
SHA1
c2bcba593bb92ed31f62722a5092ce213ac597f5
-
SHA256
ef8b0ee815859434a3aadb1718174b5810d36bfe1969ff8013737edce631ffc5
-
SHA512
d8f62814f09388317c3ee6ac2ad3b5cec9d81918d75d8f40384432b844f4610b399862d02c4cc1ea8a3d83a177714a24ab77837249490f4a16e078fcbb998f8c
-
SSDEEP
24576:U51bZcLt7bY+oKJdi8vwIu2+Io4BermnaCM3GMm8Kw:Q1CffdPwIuWoMeC3M3GMma
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-