General
-
Target
c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
-
Size
377KB
-
Sample
221203-fx1cwage59
-
MD5
a1f0d356df081f4cde159183f402ee93
-
SHA1
3c71aedd2eda2d572fd0cb575fa13e7e74b6cefd
-
SHA256
c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
-
SHA512
47442e3b227fde91498ac2096d6eda15b65817c0a9cd192cf787eccadd67973e87c1d8d9b47812e812e03ec74548b998173f25fc255fb8c97631ac5cbd70a833
-
SSDEEP
6144:GxL3BJrfJXTGhbR1OJguwMNNvyGAcE0njDs9Eoej+4+bnjb3PZAizgk9:urTfkNF3aNvyGAhE09yKdjjDZxp
Static task
static1
Behavioral task
behavioral1
Sample
c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff.exe
Resource
win7-20221111-en
Malware Config
Extracted
darkcomet
HF
safethinking.zapto.org:1604
DC_MUTEX-F0NJMAE
-
InstallPath
MSDCSC\svchost.exe
-
gencode
JGGiVLcb5Yzq
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Targets
-
-
Target
c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
-
Size
377KB
-
MD5
a1f0d356df081f4cde159183f402ee93
-
SHA1
3c71aedd2eda2d572fd0cb575fa13e7e74b6cefd
-
SHA256
c76dc27b6ffba36d451ef02c8f1680dfa40408ec2f1c476a0eb3aadbb30e4aff
-
SHA512
47442e3b227fde91498ac2096d6eda15b65817c0a9cd192cf787eccadd67973e87c1d8d9b47812e812e03ec74548b998173f25fc255fb8c97631ac5cbd70a833
-
SSDEEP
6144:GxL3BJrfJXTGhbR1OJguwMNNvyGAcE0njDs9Eoej+4+bnjb3PZAizgk9:urTfkNF3aNvyGAhE09yKdjjDZxp
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-