General
-
Target
a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
-
Size
256KB
-
Sample
240412-ajv84she85
-
MD5
ec9c14011f7eba348f391c294bdb3367
-
SHA1
e61a15f8f2accd5a6c9acbf11886b2782d460f52
-
SHA256
a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
-
SHA512
13037bd298f5d093373453b5913f724a91adbab158012cb2f6055c9dd8616bd3fc61be715fe30bc6828215cfd87d3a1d4a12d39ae0503a12588dec2e55ec50c1
-
SSDEEP
6144:bcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37sEAU:bcW7KEZlPzCy37s/
Behavioral task
behavioral1
Sample
a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4.exe
Resource
win7-20240221-en
Malware Config
Extracted
darkcomet
Sazan
0.tcp.eu.ngrok.io:19165:19165
DC_MUTEX-AZWBJ2E
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Py8v2wbhf6PU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
-
Size
256KB
-
MD5
ec9c14011f7eba348f391c294bdb3367
-
SHA1
e61a15f8f2accd5a6c9acbf11886b2782d460f52
-
SHA256
a6244295c0b7120af0f92ab683776621625705086637e3d01b44106e5e4126a4
-
SHA512
13037bd298f5d093373453b5913f724a91adbab158012cb2f6055c9dd8616bd3fc61be715fe30bc6828215cfd87d3a1d4a12d39ae0503a12588dec2e55ec50c1
-
SSDEEP
6144:bcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37sEAU:bcW7KEZlPzCy37s/
-
Modifies WinLogon for persistence
-
UPX dump on OEP (original entry point)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-