General
-
Target
675f484e4d1852fe8a5a975c4da91b6a
-
Size
6.9MB
-
Sample
240119-mendxscfe3
-
MD5
675f484e4d1852fe8a5a975c4da91b6a
-
SHA1
91ef9f1b8f73cec6dddbbfe92ac1d2eb75707e60
-
SHA256
6b5ac54f40652b3af8f38925fcece413f078c17e4a02ef7982005ee99fc82d8c
-
SHA512
aa27059f0b4a92ddf359a1d79bf269238ea372145f1f84c9b2da8b81a10c94a87c5297725599cd409057fd38d7b802a7eb8e0df032eebafb679688a5bbecfae6
-
SSDEEP
49152:dJjN9IQEiXmJPpVy75Jr5k1YJmWg7EMHodnnJ3qXwMG37VpQA226twgB3gVRWLYj:XnIQEiGM5ShBK2Aud9dr
Static task
static1
Behavioral task
behavioral1
Sample
675f484e4d1852fe8a5a975c4da91b6a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
675f484e4d1852fe8a5a975c4da91b6a.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
darkcomet
2021New-August-99-2
andronmatskiv20.sytes.net:35887
DC_MUTEX-5YG014U
-
InstallPath
office64.exe
-
gencode
WxE6GmqrzCUo
-
install
true
-
offline_keylogger
false
-
password
hhhhhh
-
persistence
true
-
reg_key
winoffice
Targets
-
-
Target
675f484e4d1852fe8a5a975c4da91b6a
-
Size
6.9MB
-
MD5
675f484e4d1852fe8a5a975c4da91b6a
-
SHA1
91ef9f1b8f73cec6dddbbfe92ac1d2eb75707e60
-
SHA256
6b5ac54f40652b3af8f38925fcece413f078c17e4a02ef7982005ee99fc82d8c
-
SHA512
aa27059f0b4a92ddf359a1d79bf269238ea372145f1f84c9b2da8b81a10c94a87c5297725599cd409057fd38d7b802a7eb8e0df032eebafb679688a5bbecfae6
-
SSDEEP
49152:dJjN9IQEiXmJPpVy75Jr5k1YJmWg7EMHodnnJ3qXwMG37VpQA226twgB3gVRWLYj:XnIQEiGM5ShBK2Aud9dr
-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-