General
-
Target
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d
-
Size
534KB
-
Sample
221202-3f585aeb83
-
MD5
8093d7e4d74c549ee8c185c655f47e65
-
SHA1
4cefa845db22a23f0cb5e1b99ad8a1bcd5795ccc
-
SHA256
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d
-
SHA512
954e90d6b857e8cac84137e12ddb9d775ece68eabbebdea5a5651a172b7a52f76443ba0cbeef980161839b2192e0be9e0903808d0544e49b92ee02ce2cbb474d
-
SSDEEP
12288:Hhqmauq42dSMeIdh07uRCxBzh9pVnfLSPijpmcUHlMSn8qcpuT:HhqmauqW8tAxBLdjpmoI08
Malware Config
Extracted
darkcomet
HF
cyber-dos.no-ip.org:1337
DC_MUTEX-EYQES59
-
InstallPath
java32\java.exe
-
gencode
vP5N1dBnHx0W
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
java
Targets
-
-
Target
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d
-
Size
534KB
-
MD5
8093d7e4d74c549ee8c185c655f47e65
-
SHA1
4cefa845db22a23f0cb5e1b99ad8a1bcd5795ccc
-
SHA256
ae5aa015798898802e277ff25fa8678f688f9df22ad9d15d849409d3d83b925d
-
SHA512
954e90d6b857e8cac84137e12ddb9d775ece68eabbebdea5a5651a172b7a52f76443ba0cbeef980161839b2192e0be9e0903808d0544e49b92ee02ce2cbb474d
-
SSDEEP
12288:Hhqmauq42dSMeIdh07uRCxBzh9pVnfLSPijpmcUHlMSn8qcpuT:HhqmauqW8tAxBLdjpmoI08
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-