darkcomet | c1b4505052f389d4def59095c55900989a5669238477efc09b948e077e72d25c

Sharing

Copy URL

Twitter E-mail

General

Target

c1b4505052f389d4def59095c55900989a5669238477efc09b948e077e72d25c
Size

309KB
MD5

91a1472e50fd1a4cef5cf31a00fb7789
SHA1

7f60ff896a19cceb48f93b74f4be96b231e53749
SHA256

c1b4505052f389d4def59095c55900989a5669238477efc09b948e077e72d25c
SHA512

e39abcee904be5b9044a29aa25e85dfb815f7c9adb12969afc8deefa25c031dea7196697ae1a3c6d899779ae7fc8c59f2201655ec1d302b4b8144752409dbd50
SSDEEP

6144:KycNDSpaJS/73UTHAaQ0n5bkLkwL7GfPzSSbYg4VX+UeQz6Jc+5:KyCSpaJS/7a+05bkLDIrSSbZ4VX+Kz5Q

Score

10^/10

upx darkcomet

Malware Config

Signatures

Darkcomet family
darkcomet

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
static1/unpack001/582aaefcf01e9b80aec241c637c992ff535d9b21928c389610f6cdb5cf136676.exe	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/582aaefcf01e9b80aec241c637c992ff535d9b21928c389610f6cdb5cf136676.exe

Files

c1b4505052f389d4def59095c55900989a5669238477efc09b948e077e72d25c
.zip

Password: infected
582aaefcf01e9b80aec241c637c992ff535d9b21928c389610f6cdb5cf136676.exe
.exe windows:4 windows x86 arch:x86

327b02177598022b32d5e551f40d638a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

user32

AnimateWindow

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

kernel32

lstrlen
lstrcpy
WriteProcessMemory
WriteFile
WinExec
WaitForSingleObject
VirtualQuery
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
VerLanguageNameA
UnmapViewOfFile
TerminateProcess
SizeofResource
SetThreadLocale
SetThreadContext
SetLastError
SetFileTime
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ResetEvent
ReadProcessMemory
ReadFile
PeekNamedPipe
OpenProcess
MultiByteToWideChar
MulDiv
MoveFileA
MapViewOfFile
LockResource
LocalFileTimeToFileTime
LocalAlloc
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
HeapFree
HeapAlloc
GlobalUnlock
GlobalMemoryStatus
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetWindowsDirectoryA
GetVersionExA
GetVersion
GetUserDefaultLangID
GetTickCount
GetThreadLocale
GetThreadContext
GetTempPathA
GetSystemDirectoryA
GetStdHandle
GetProcessHeap
GetProcAddress
GetPrivateProfileStringA
GetPrivateProfileIntA
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetEnvironmentVariableA
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetComputerNameA
GetCPInfo
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumResourceNamesA
EnumCalendarInfoA
EnterCriticalSection
DosDateTimeToFileTime
DeleteFileA
DeleteCriticalSection
CreateThread
CreateProcessA
CreatePipe
CreateMutexA
CreateFileMappingA
CreateFileA
CreateEventA
CreateDirectoryA
CopyFileA
CompareStringA
CloseHandle
Beep
Sleep
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess

advapi32

RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
LookupPrivilegeNameA
LookupPrivilegeDisplayNameA
LookupAccountSidA
LookupAccountNameA
IsValidSid
GetUserNameA
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
AdjustTokenPrivileges
LsaFreeMemory
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
ConvertSidToStringSidA
CredEnumerateA
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
EnumServicesStatusA
DeleteService
CreateServiceA
ControlService
CloseServiceHandle
LsaClose

wsock32

WSACleanup
WSAStartup
WSAGetLastError
gethostname
getservbyname
gethostbyname
gethostbyaddr
socket
shutdown
sendto
send
recv
htons
ioctlsocket
inet_ntoa
inet_addr
htons
connect

shell32

ShellExecuteEx
ShellExecuteA
SHGetFileInfo
SHFileOperation
DragQueryFile
SHGetSpecialFolderLocation
SHGetPathFromIDList
SHGetSpecialFolderPathA
SHGetSpecialFolderPathA
SHEmptyRecycleBinA
ShellExecuteA

oleaut32

GetErrorInfo
GetActiveObject
SysFreeString
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
VariantCopy

combase

CoTaskMemFree
CLSIDFromProgID
ProgIDFromCLSID
StringFromCLSID
CoCreateInstance
CoUninitialize
CoTaskMemFree
StringFromCLSID

ole32

CoInitialize
IsEqualGUID
IsEqualGUID

urlmon

URLDownloadToFileA
URLDownloadToFileA

comctl32

_TrackMouseEvent
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_DragShowNolock
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
ImageList_Add

wininet

InternetOpenUrlA
InternetOpenA
InternetConnectA
InternetCloseHandle
FtpPutFileA
FtpPutFileA

winmm

waveInUnprepareHeader
waveInStart
waveInReset
waveInPrepareHeader
waveInOpen
waveInClose
waveInAddBuffer
PlaySoundA
mciSendStringA
waveInOpen

rasapi32

RasGetEntryDialParamsA
RasEnumEntriesA
RasEnumEntriesA

netapi32

Netbios
NetApiBufferFree
NetShareGetInfo
NetShareEnum
Netbios

ntdll

NtUnmapViewOfSection
NtQuerySystemInformation
NtUnmapViewOfSection
NtQuerySystemInformation

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectI
GdipSetInterpolationMode
GdipDeleteGraphics
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipGetImagePixelFormat
GdipGetImageGraphicsContext
GdipSaveImageToStream
GdipDisposeImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
GdipFree

avicap32

capGetDriverDescriptionA
capGetDriverDescriptionA
capGetDriverDescriptionA

shfolder

SHGetFolderPathA
SHGetFolderPathA

ws2_32

WSAIoctl
WSAIoctl
send

msacm32

acmStreamUnprepareHeader
acmStreamPrepareHeader
acmStreamConvert
acmStreamReset
acmStreamSize
acmStreamClose
acmStreamOpen
acmStreamSize

pstorec

PStoreCreateInstance
PStoreCreateInstance

url

InetIsOffline
InetIsOffline

gdi32

SaveDC

Sections

UPX0
Size: 484KB - Virtual size: 484KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 232KB - Virtual size: 232KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

327b02177598022b32d5e551f40d638a

Headers

File Characteristics

Imports

user32

version

kernel32

advapi32

wsock32

shell32

oleaut32

combase

ole32

urlmon

comctl32

wininet

winmm

rasapi32

netapi32

ntdll

gdiplus

avicap32

shfolder

ws2_32

msacm32

pstorec

url

gdi32

Sections

UPX0 Size: 484KB - Virtual size: 484KB

UPX1 Size: 232KB - Virtual size: 232KB

.rsrc Size: 15KB - Virtual size: 15KB

UPX0
Size: 484KB - Virtual size: 484KB

UPX1
Size: 232KB - Virtual size: 232KB

.rsrc
Size: 15KB - Virtual size: 15KB