darkcomet

General

Target

2b4ee07d82837e1170065b673dab63a8fd46c522760f2b450c0f1e2bfaedef2e
Size

3.1MB
Sample

200624-e2tb6ewgvj
MD5

48333dea99d9a2a7efe07b871e9e5467
SHA1

85138443ba28a0932305454832e1f809585471ab
SHA256

2b4ee07d82837e1170065b673dab63a8fd46c522760f2b450c0f1e2bfaedef2e
SHA512

a7806de37c27afea682b4054c3caf1aafb94f858d7a7467efcf9e795484041391dd17941376e05118b4be726fc06beddedddc3f6fc6d5ab4b31c039fadf44ff0

Score

10^/10

Malware Config

Targets

- Target
  
  2b4ee07d82837e1170065b673dab63a8fd46c522760f2b450c0f1e2bfaedef2e
- Size
  
  3.1MB
- MD5
  
  48333dea99d9a2a7efe07b871e9e5467
- SHA1
  
  85138443ba28a0932305454832e1f809585471ab
- SHA256
  
  2b4ee07d82837e1170065b673dab63a8fd46c522760f2b450c0f1e2bfaedef2e
- SHA512
  
  a7806de37c27afea682b4054c3caf1aafb94f858d7a7467efcf9e795484041391dd17941376e05118b4be726fc06beddedddc3f6fc6d5ab4b31c039fadf44ff0
Score

10^/10

darkcomet evasion persistence rat trojan vmprotect
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2