General
-
Target
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
Size
343KB
-
Sample
221203-ep2ejagd5y
-
MD5
c6551e869e75447e6456095e6c6aeced
-
SHA1
44b79feb248f0c1d68e9f4f61f43050280e8672a
-
SHA256
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
SHA512
965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
SSDEEP
6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll
Static task
static1
Behavioral task
behavioral1
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
darkcomet
13.07.12 Crypter
leetaka1337.no-ip.org:1604
DC_MUTEX-JFX5RP1
-
InstallPath
MSDCSC\winhost.exe
-
gencode
lCnq6VNbar2M
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
Size
343KB
-
MD5
c6551e869e75447e6456095e6c6aeced
-
SHA1
44b79feb248f0c1d68e9f4f61f43050280e8672a
-
SHA256
d461402663b6423f2f86b51a5e69b1d505d1d04c297d84d881b94afad55465d5
-
SHA512
965aa351ec316b187c92ed0ce065db56b813e52f31abd391f593b4215b443300f8355889b8eb66e896f9fcdc0fd87511d55c734e785459d047ebf4e0a0db00fe
-
SSDEEP
6144:fUPCHRSrGCFGMQZhKYWqdRBYn58JOBGmtMCANkRfX90OO1+JCl+aL5n:Xx2GiGMBHqhYOJONtMCesfXlKXll
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-