General
-
Target
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
-
Size
2.6MB
-
Sample
221203-cth3msfe59
-
MD5
10c0e1e14e177d1486d99c3a91d84969
-
SHA1
c0b90a929ff7a8c1c14ee554f2cc55a39605217e
-
SHA256
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
-
SHA512
2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237
-
SSDEEP
49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10
Static task
static1
Behavioral task
behavioral1
Sample
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Resource
win7-20220812-en
Malware Config
Extracted
darkcomet
±ö¿Í16
heiseyinmou.gnway.net:2012
DC_MUTEX-F4ZWV0U
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
czMVsH3hot1Q
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
����
Targets
-
-
Target
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
-
Size
2.6MB
-
MD5
10c0e1e14e177d1486d99c3a91d84969
-
SHA1
c0b90a929ff7a8c1c14ee554f2cc55a39605217e
-
SHA256
fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
-
SHA512
2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237
-
SSDEEP
49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-