Extracted

• • Target

    f10ebeb6578aaab15d9a6eb94de2275761236699368fa93e52f85264954950b6

  • Size

    736KB

  • MD5

    b9c45d0a273155427b7e8a62cf078f98

  • SHA1

    6963c693c509fa77cb7c30b73f354abb16b76280

  • SHA256

    f10ebeb6578aaab15d9a6eb94de2275761236699368fa93e52f85264954950b6

  • SHA512

    ce344702ad071b93d3c2ef62bfd0c2d7f52f7c2a3a03ca08d48602bb732ebe713ebe699bc204690c3f714c83baf9c12103fed9dedeb4c1816fe672a2699ed3bc

  • SSDEEP

    12288:q/fOk8VleKE+9HAHrsRfaRLOr0Oa+6QXRkppQQiS:sOllCgFmLO4W6QhkU

  Score

  10^/10

  darkcometabd_kcapersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2