darkcomet | f038f5490c7892038079335389e27de0a76a4fff7efb05076bef391bf92411c1

Sharing

Copy URL

Twitter E-mail

General

Target

f038f5490c7892038079335389e27de0a76a4fff7efb05076bef391bf92411c1
Size

309KB
MD5

d7a786e45106f46874e709eb9c2a2833
SHA1

960b6ddd540b7be1f8ea27ed9260dc9e8ce62f27
SHA256

f038f5490c7892038079335389e27de0a76a4fff7efb05076bef391bf92411c1
SHA512

606c014fb8484f9401025be51af94996c4abcfe6842f548fd3e635cac6e67684b86c65ede9dc7056880911e8c1974db4da34972de82a74dba2aa9e4d55cd6346
SSDEEP

6144:a3isLWhftt+OloZJRm1Qs0MsNbO/a+JZXu+6xWlm2CIbzy:ULWhftt+OlobTs0M8kXu+VmNI/y

Score

10^/10

upx darkcomet

Malware Config

Signatures

Darkcomet family
darkcomet

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
static1/unpack001/45b0b7b58be26d86f4cf957b8dd0358a17c2ed4c0649b821fe0e02b5c4063ea6.exe	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/45b0b7b58be26d86f4cf957b8dd0358a17c2ed4c0649b821fe0e02b5c4063ea6.exe

Files

f038f5490c7892038079335389e27de0a76a4fff7efb05076bef391bf92411c1
.zip

Password: infected
45b0b7b58be26d86f4cf957b8dd0358a17c2ed4c0649b821fe0e02b5c4063ea6.exe
.exe windows:4 windows x86 arch:x86

e288d83ef0ee530ae86eaebb052535d1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

win32u

NtUserGetPointerDeviceCursors
NtUserGetPointerDeviceCursors
NtUserSetMenuContextHelpId

user32

AnimateWindow

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

kernel32

lstrlen
lstrcpy
WriteProcessMemory
WriteFile
WinExec
WaitForSingleObject
VirtualQuery
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
VerLanguageNameA
UnmapViewOfFile
TerminateProcess
SizeofResource
SetThreadLocale
SetThreadContext
SetLastError
SetFileTime
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ResetEvent
ReadProcessMemory
ReadFile
PeekNamedPipe
OpenProcess
MultiByteToWideChar
MulDiv
MoveFileA
MapViewOfFile
LockResource
LocalFileTimeToFileTime
LocalAlloc
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
HeapFree
HeapAlloc
GlobalUnlock
GlobalMemoryStatus
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetWindowsDirectoryA
GetVersionExA
GetVersion
GetUserDefaultLangID
GetTickCount
GetThreadLocale
GetThreadContext
GetTempPathA
GetSystemDirectoryA
GetStdHandle
GetProcessHeap
GetProcAddress
GetPrivateProfileStringA
GetPrivateProfileIntA
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetComputerNameA
GetCPInfo
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumResourceNamesA
EnumCalendarInfoA
EnterCriticalSection
DosDateTimeToFileTime
DeleteFileA
DeleteCriticalSection
CreateThread
CreateProcessA
CreatePipe
CreateMutexA
CreateFileMappingA
CreateFileA
CreateEventA
CreateDirectoryA
CopyFileA
CompareStringA
CloseHandle
Beep
Sleep
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess

advapi32

RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
LookupPrivilegeNameA
LookupPrivilegeDisplayNameA
LookupAccountSidA
LookupAccountNameA
IsValidSid
GetUserNameA
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
AdjustTokenPrivileges
LsaFreeMemory
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
ConvertSidToStringSidA
CredEnumerateA
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
EnumServicesStatusA
DeleteService
CreateServiceA
ControlService
CloseServiceHandle
LsaClose

wsock32

WSACleanup
WSAStartup
WSAGetLastError
gethostname
getservbyname
gethostbyname
gethostbyaddr
socket
shutdown
sendto
send
recv
htons
ioctlsocket
inet_ntoa
inet_addr
htons
connect

shell32

ShellExecuteEx
ShellExecuteA
SHGetFileInfo
SHFileOperation
DragQueryFile
SHGetSpecialFolderLocation
SHGetPathFromIDList
SHGetSpecialFolderPathA
SHGetSpecialFolderPathA
SHEmptyRecycleBinA
ShellExecuteA

oleaut32

GetErrorInfo
GetActiveObject
SysFreeString
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
VariantCopy

combase

CoTaskMemFree
CLSIDFromProgID
ProgIDFromCLSID
StringFromCLSID
CoCreateInstance
CoUninitialize
CoTaskMemFree
StringFromCLSID

ole32

CoInitialize
IsEqualGUID
IsEqualGUID

urlmon

URLDownloadToFileA
URLDownloadToFileA

comctl32

_TrackMouseEvent
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_DragShowNolock
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
ImageList_Add

wininet

InternetOpenUrlA
InternetOpenA
InternetConnectA
InternetCloseHandle
FtpPutFileA
FtpPutFileA

winmm

waveInUnprepareHeader
waveInStart
waveInReset
waveInPrepareHeader
waveInOpen
waveInClose
waveInAddBuffer
PlaySoundA
mciSendStringA
waveInOpen

rasapi32

RasGetEntryDialParamsA
RasEnumEntriesA
RasEnumEntriesA

netapi32

Netbios
NetApiBufferFree
NetShareGetInfo
NetShareEnum
Netbios

ntdll

NtUnmapViewOfSection
NtQuerySystemInformation
NtUnmapViewOfSection
NtQuerySystemInformation

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectI
GdipSetInterpolationMode
GdipDeleteGraphics
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipGetImagePixelFormat
GdipGetImageGraphicsContext
GdipSaveImageToStream
GdipDisposeImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
GdipFree

avicap32

capGetDriverDescriptionA
capGetDriverDescriptionA
capGetDriverDescriptionA

shfolder

SHGetFolderPathA
SHGetFolderPathA

ws2_32

WSAIoctl
WSAIoctl
send

msacm32

acmStreamUnprepareHeader
acmStreamPrepareHeader
acmStreamConvert
acmStreamReset
acmStreamSize
acmStreamClose
acmStreamOpen
acmStreamSize

pstorec

PStoreCreateInstance
PStoreCreateInstance

url

InetIsOffline
InetIsOffline

gdi32

SaveDC

Sections

UPX0
Size: 484KB - Virtual size: 484KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 232KB - Virtual size: 232KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

e288d83ef0ee530ae86eaebb052535d1

Headers

File Characteristics

Imports

win32u

user32

version

kernel32

advapi32

wsock32

shell32

oleaut32

combase

ole32

urlmon

comctl32

wininet

winmm

rasapi32

netapi32

ntdll

gdiplus

avicap32

shfolder

ws2_32

msacm32

pstorec

url

gdi32

Sections

UPX0 Size: 484KB - Virtual size: 484KB

UPX1 Size: 232KB - Virtual size: 232KB

.rsrc Size: 15KB - Virtual size: 15KB

UPX0
Size: 484KB - Virtual size: 484KB

UPX1
Size: 232KB - Virtual size: 232KB

.rsrc
Size: 15KB - Virtual size: 15KB