General
-
Target
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
-
Size
1.1MB
-
Sample
210830-v7eqzastnx
-
MD5
1da41cbb96294f0f5fdcf6f5e4852316
-
SHA1
eeff536398034874344135014a64748062ecf7e7
-
SHA256
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
-
SHA512
0baba5b06f0f07c3e48483e42f4c00c421563c65eb71571e90cabb547d3541b7f495bf61c343aeaa38d92f1f1db497849402902d5e8758c521788a4b47543fef
Malware Config
Extracted
darkcomet
AngryBirdsSpace-1
daveini12.no-ip.biz:177
192.168.0.119:177
DC_MUTEX-5BRUV9T
-
InstallPath
host\svhost.exe
-
gencode
LMLwEoXgHk1D
-
install
true
-
offline_keylogger
true
-
password
lisa12
-
persistence
true
-
reg_key
svhost
Targets
-
-
Target
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
-
Size
1.1MB
-
MD5
1da41cbb96294f0f5fdcf6f5e4852316
-
SHA1
eeff536398034874344135014a64748062ecf7e7
-
SHA256
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
-
SHA512
0baba5b06f0f07c3e48483e42f4c00c421563c65eb71571e90cabb547d3541b7f495bf61c343aeaa38d92f1f1db497849402902d5e8758c521788a4b47543fef
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-