General
-
Target
71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
-
Size
2.2MB
-
Sample
221029-pnh7nsgcfp
-
MD5
2e26ec54afd1288b055e7706de808a6c
-
SHA1
64a439521d75f2d77fef60db5115fc8645266003
-
SHA256
71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
-
SHA512
c2cdcd0d97b9b22ffab2a2a76470adf813a5d58d052e25f4f5181948afa29958fb3647b0d785bdd6c8e07a80c0d9d04cda33d21d522510c6850f178c39f41861
-
SSDEEP
49152:zzrlxWjx1Hp7rH403mwRaKkYpYfJWGwvPDKvxe:zzrTmxVpg032iYRWGwvP
Malware Config
Extracted
darkcomet
Rat
aoaagoldsocial.no-ip.biz:1604
DCMIN_MUTEX-9GWN21N
-
gencode
Lih2c57cDCZM
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
-
Size
2.2MB
-
MD5
2e26ec54afd1288b055e7706de808a6c
-
SHA1
64a439521d75f2d77fef60db5115fc8645266003
-
SHA256
71b567beaea4f9353d869b11d7893c5e777f417160701b7f05a4303b1d3c8a8a
-
SHA512
c2cdcd0d97b9b22ffab2a2a76470adf813a5d58d052e25f4f5181948afa29958fb3647b0d785bdd6c8e07a80c0d9d04cda33d21d522510c6850f178c39f41861
-
SSDEEP
49152:zzrlxWjx1Hp7rH403mwRaKkYpYfJWGwvPDKvxe:zzrTmxVpg032iYRWGwvP
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-