Extracted

• • Target

    67278e924fbf238c50afb940de4e6ada4a59d31e4a1426f0dc55fcbc861f9f35

  • Size

    822KB

  • MD5

    17862e1bb7c4b9fb784867e8c65c2e7b

  • SHA1

    3bd7ae06e686c2c9c3895c6bde4486628735964e

  • SHA256

    67278e924fbf238c50afb940de4e6ada4a59d31e4a1426f0dc55fcbc861f9f35

  • SHA512

    ea5f85a8aba818c5f40748bb8d8b9157307d8db2f920519d19b27e143df8f31207a0456b554a88da376f8acddb3b12fb351a3b47a6a26ca4bf3d56ecab614457

  • SSDEEP

    12288:9x9KMW9cK0ise8kqkvdmWP9Fe4IUGSq6F9e6NI4Avt+Mbi/NR+/C6sV:9x9KMs8yJe4NGSXM0I/vXinOBsV

  Score

  10^/10

  darkcometguest16discoverypersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2