Extracted

• • Target

    f2b45a512a8c3586df555d52c068f516dd0bab1c8a24467bdf3e72055312185dN.exe

  • Size

    5.3MB

  • MD5

    37bc24bd5ce2067bdb0c34c0ca414c00

  • SHA1

    3d7b67e7370d79533cb984330f21e5f5c5b9479a

  • SHA256

    f2b45a512a8c3586df555d52c068f516dd0bab1c8a24467bdf3e72055312185d

  • SHA512

    bf4fe4f5139bd206792b645509aaf42be2d58d3f003a497c799bbd3d860ec5c9193f781e4d1525ddd9f7798f8395d21e96ed74ceeb52c0ab43df3d642758ad8a

  • SSDEEP

    98304:aOQGc830HeOIk0ons6U523lPWZIERFog7icldle+HJFD:hrj30qkXnsr2YIIog7if+HJF

  Score

  10^/10

  discoverydarkcometgoogledebuggerevasionpersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2