Extracted

• • Target

    PO#234323.exe

  • Size

    2.1MB

  • MD5

    23985d8d800a7b82901526105f9c69bc

  • SHA1

    41fb548fddd05c635321c380bf4440688477f9eb

  • SHA256

    6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a

  • SHA512

    49df2f83485f0d15c8717b804d19e5fd79e2f76f02e0ea7c839d4363b89de9eb9968392b3459dd1c17409291d69fe91d5426ab74b0fd71155684e2315823d165

  • SSDEEP

    49152:taxIVry0xxf/AlgRKGY3ZXfxwlPs7IJVDVmLRzZj90w84aLuGv:ta2Fy0xxQI3oXjvouGv

  Score

  10^/10

  darkcometisrstealerguest16evasionpersistenceratspywarestealertrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer

  • ISR Stealer payload

  • Modifies WinLogon for persistence

    persistence

  • Windows security bypass

    evasiontrojan

  • Executes dropped EXE

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2