Extracted

• • Target

    ee913318a820c07751da4af3648b8c7adad3fcccbdece7bdebae438c710f46c8

  • Size

    760KB

  • MD5

    09ecb8492c8e349016b9a6ab0e9c094d

  • SHA1

    b6b2d4f5daffaf429aac1c63159197172af3ba6d

  • SHA256

    ee913318a820c07751da4af3648b8c7adad3fcccbdece7bdebae438c710f46c8

  • SHA512

    66b0c3b30ead35de86cc1c0c7090d7bdf373d7a27d0f733f8f9b9ad4f70dda2f29de9d144340681be248129ed1068f1200020c081a5f52018fb2984839eed39b

  • SSDEEP

    12288:bxWRVaJnkiulVhF/Rfgr97tBYlF/SGI4s0gqxvS:YREJkiubhv4r97tBCI4zhq

  Score

  10^/10

  darkcometguest16persistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Program crash

  • Suspicious use of SetThreadContext

  behavioral1behavioral2