Extracted

• • Target

    380901a4d796135abc8a33a11b267aa8647355fa1000d4afeb413f9ec519774d

  • Size

    427KB

  • MD5

    347dd7b659f7f4ce7833cdfd51738e87

  • SHA1

    c9c80fc1556d0e691da88f2da65cd6ba2856d6d4

  • SHA256

    380901a4d796135abc8a33a11b267aa8647355fa1000d4afeb413f9ec519774d

  • SHA512

    22a9d1bba58113b312f4fd1cb6248a2fd2b74a58ac6a78f824ae491811bdf977193c1646da94d0b14f05ad7f97211bf282953952f1886458b450065b6334b541

  • SSDEEP

    6144:HcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL3790WLJV2k+baoNRL4/:HcW7KEZlPzCy37SyJkk+WoNRL4/

  Score

  10^/10

  darkcometguest16evasionpersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • UPX dump on OEP (original entry point)

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2