Extracted

• • Target

    94af298055cc25499e20468a5ff648c6be40286190381df9bd580cd7460160b8

  • Size

    658KB

  • MD5

    c83633173c75e4587c982d385df8d72a

  • SHA1

    377c3e448695942b70d2e79a104578e82b603157

  • SHA256

    94af298055cc25499e20468a5ff648c6be40286190381df9bd580cd7460160b8

  • SHA512

    3ed1413b7bc02e2990d90b92b771396ed3b73be2be2c829d7ffc4d5e5d1e3ed046bd56465870cbedde372d767a390ade014d3cfdfdef00e251ca4ae85cf7566b

  • SSDEEP

    12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hx:+Z1xuVVjfFoynPaVBUR8f+kN10EB7

  Score

  10^/10

  darkcometguest16persistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2