Extracted

• • Target

    97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8.exe

  • Size

    663KB

  • MD5

    c4633cedf3f1b0c1527012a4f67d9a01

  • SHA1

    221067b2868decbddcaf4e1758dfd9c1e7fced94

  • SHA256

    97e952e79c07ce103290267a4209cadcb96b010ea18d4d7932d4649eb242afc8

  • SHA512

    87c107bf0c04b2ffc94fe1f2dd9df5b3e19fee67e15620dab90fa8abac90002f62178ca5fd2d3994b76a156c9b7ae690cf76cc7397c915e75aa445aa60b7c2a4

  • SSDEEP

    12288:O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:aZ1xuVVjfFoynPaVBUR8f+kN10Ed

  Score

  10^/10

  darkcometsazanpersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2