Extracted

• • Target

    9b476881db7aef7dbedcce78017129b37667ea282d0c99566a38cfa94e343821.exe

  • Size

    759KB

  • MD5

    ab5e0c9fbbf7cd002742a751c290a0c0

  • SHA1

    ef61e32aadd9ebfc674c4f951c860f2d952b639d

  • SHA256

    9b476881db7aef7dbedcce78017129b37667ea282d0c99566a38cfa94e343821

  • SHA512

    7e79dae7dc598113d4488d7b2460c174284b4b0ad530c49a091d987c1c42c323edb769c030510613023c569924f5036878a133f8dd81050f17ae3c15bcd5f2f8

  • SSDEEP

    12288:qM3iXBPCO36urpV5HODRH0xh9W1gx7K8hiz1v8hvwxUj1ShwONxyibDwdB:oqEdTE0X9WSxG8IZv8hI21ShFNxyoMj

  Score

  10^/10

  darkcometmusicagoagilenetdiscoverypersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2