General
-
Target
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8.exe
-
Size
663KB
-
Sample
240411-s64swaef75
-
MD5
c4633cedf3f1b0c1527012a4f67d9a01
-
SHA1
221067b2868decbddcaf4e1758dfd9c1e7fced94
-
SHA256
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8
-
SHA512
87c107bf0c04b2ffc94fe1f2dd9df5b3e19fee67e15620dab90fa8abac90002f62178ca5fd2d3994b76a156c9b7ae690cf76cc7397c915e75aa445aa60b7c2a4
-
SSDEEP
12288:O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:aZ1xuVVjfFoynPaVBUR8f+kN10Ed
Behavioral task
behavioral1
Sample
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
darkcomet
Sazan
0.tcp.eu.ngrok.io:19165:19165
DC_MUTEX-AZWBJ2E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Py8v2wbhf6PU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8.exe
-
Size
663KB
-
MD5
c4633cedf3f1b0c1527012a4f67d9a01
-
SHA1
221067b2868decbddcaf4e1758dfd9c1e7fced94
-
SHA256
97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8
-
SHA512
87c107bf0c04b2ffc94fe1f2dd9df5b3e19fee67e15620dab90fa8abac90002f62178ca5fd2d3994b76a156c9b7ae690cf76cc7397c915e75aa445aa60b7c2a4
-
SSDEEP
12288:O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:aZ1xuVVjfFoynPaVBUR8f+kN10Ed
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-