General
-
Target
retardedrussianspreadingshit.rar
-
Size
7.8MB
-
Sample
241120-v4szps1bnq
-
MD5
2e1d0c1ec49e8a4fe339b203e8f07e2f
-
SHA1
93f93a69c8749e775dc551c9a21d6c29bc868d2b
-
SHA256
7a4255ae6f3b241f21c3c85beb25988e665c03675ce8c932e22903973cb6b79f
-
SHA512
fac2637fb0a918f5b95c727a2b8fe6d244caca4d8911f7959094721bf0dd4d24f408d068d025c9b6e2c034a3e5a00fa0c0f911488450e68377a76ef7ed87a9b1
-
SSDEEP
196608:V8Vrs1vqnoYa8sWxiEJr3dDF/ctDt/wVTLGL7vo/YDipbgQM4tXJr:V8JssoYa8jBtwb0/Qipbg30t
Static task
static1
Behavioral task
behavioral1
Sample
DarkComet.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
DarkComet.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
3.0
-
Install_directory
%Public%
-
install_file
Utilman.exe
-
pastebin_url
https://pastebin.com/raw/LqnQsuPh
-
telegram
https://api.telegram.org/bot7737805452:AAF8gLCy7lakGIkiT8m22TUsfVQMxjiM1wE/sendMessage?chat_id=7044899953
Targets
-
-
Target
DarkComet.exe
-
Size
8.2MB
-
MD5
c6641cb74bdd9e7f003dc6c9e67e1cab
-
SHA1
5251c38bfcc670befbb9f8bf77df70edd96ab07b
-
SHA256
cc38b7bb164fefe0d0d71a17cb09fb055b1cc14c2793ffa6341f70a7425fb249
-
SHA512
daba3b53a0fa0f0018d259364dfb5a417b00d9ff9688ca38a006a3cfa1ef9e86b4aadb70c444ed14944467024546570367324f71ce100deaaf3f39598ba2e874
-
SSDEEP
196608:z/pm75SOeWhEbgEpO2QfUG/f5rVcPU/YKdoAVY5pBoEOFD:51/UgQ/9VcPUJBSROl
-
Darkcomet family
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Accessibility Features
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Accessibility Features
1Scheduled Task/Job
1Scheduled Task
1