General
-
Target
3ddb383a5af8acedb8eda67932633d85a881739fbf9a87b10f664fe743b48c58
-
Size
546KB
-
Sample
221003-cqyc6abhh6
-
MD5
3ed968b2400a5eca52fcf8dc1422ece0
-
SHA1
10cc685424f274c7b42d26cacf7ad2319fe56000
-
SHA256
3ddb383a5af8acedb8eda67932633d85a881739fbf9a87b10f664fe743b48c58
-
SHA512
e4260b501b476c613a121940de346e9d3d120329404b19a0d6d15862051358698de5528715369c8094b8934661d11afda4176fbf01fed318280f66e04591e92d
-
SSDEEP
6144:yJanGOkb7CaMWBe/IMr0yRu7ZcUBpofb71/cJlClb:y+G2WBqxgN7ZcUBGfb5/cJlCh
Malware Config
Extracted
darkcomet
Guest16
nonalova.no-ip.org:82
DC_MUTEX-Q0QWMJU
-
InstallPath
adobe\adobeARM.exe
-
gencode
GNFv06aHFX6N
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
adobeARM
Targets
-
-
Target
3ddb383a5af8acedb8eda67932633d85a881739fbf9a87b10f664fe743b48c58
-
Size
546KB
-
MD5
3ed968b2400a5eca52fcf8dc1422ece0
-
SHA1
10cc685424f274c7b42d26cacf7ad2319fe56000
-
SHA256
3ddb383a5af8acedb8eda67932633d85a881739fbf9a87b10f664fe743b48c58
-
SHA512
e4260b501b476c613a121940de346e9d3d120329404b19a0d6d15862051358698de5528715369c8094b8934661d11afda4176fbf01fed318280f66e04591e92d
-
SSDEEP
6144:yJanGOkb7CaMWBe/IMr0yRu7ZcUBpofb71/cJlClb:y+G2WBqxgN7ZcUBGfb5/cJlCh
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-