General
-
Target
gay.vmp.exe
-
Size
3.4MB
-
Sample
250224-ny42fs1jw6
-
MD5
54d74323a9382ca46d533d57dc3798fd
-
SHA1
001721db4ec94edfe21530940173ebc60e64d0c9
-
SHA256
61ffa10fa68639632136428fe16528e6745d18773cd9195773340e0cdb07f089
-
SHA512
3e66b1fc37f296553194a954384dd51ebeb8aca5ab999ba68bc651a2312d2305d944536d220f7f827b6b27a9399245480840d9d21a8c24ccefd53c706b173c54
-
SSDEEP
98304:S8NX0hfNrujZvkwKGz8XuDAWzGkGUHV23qmzWF6c:L6lFSBKxeDAAGfR3vzi
Behavioral task
behavioral1
Sample
gay.vmp.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
gay.vmp.exe
Resource
win10ltsc2021-20250218-en
Malware Config
Extracted
darkcomet
Guest16
hai1723rat.serveminecraft.net:7560
DC_MUTEX-95G7AC1
-
InstallPath
7560\msdcsc.exe
-
gencode
osFKzQR4UCG6
-
install
true
-
offline_keylogger
true
-
password
TAODEPTRAIOK
-
persistence
true
-
reg_key
updatesever
Targets
-
-
Target
gay.vmp.exe
-
Size
3.4MB
-
MD5
54d74323a9382ca46d533d57dc3798fd
-
SHA1
001721db4ec94edfe21530940173ebc60e64d0c9
-
SHA256
61ffa10fa68639632136428fe16528e6745d18773cd9195773340e0cdb07f089
-
SHA512
3e66b1fc37f296553194a954384dd51ebeb8aca5ab999ba68bc651a2312d2305d944536d220f7f827b6b27a9399245480840d9d21a8c24ccefd53c706b173c54
-
SSDEEP
98304:S8NX0hfNrujZvkwKGz8XuDAWzGkGUHV23qmzWF6c:L6lFSBKxeDAAGfR3vzi
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2