Extracted

• • Target

    lmaoo.vmp.exe

  • Size

    5.4MB

  • MD5

    22dfe2e162a9e17a9f4bf54816515f48

  • SHA1

    036b06247202de051f074268c594ae6f7112a748

  • SHA256

    064aa3e4c53ea3aff1023f9e7cb5c42acdc703526d63d6d69ad8cd46747bc077

  • SHA512

    4ed84a603988353228df6443a2df51275d790cbc52120110d796ee9b19dad9d707077749b24483ffd60dc47e5da040b533737fc9ed0047084989924db52db359

  • SSDEEP

    98304:ZdMKOcZk67edPxSB2veWYiNqksUCDqeJrXi95/go8v3gFbEPOwOcxLq:4KHZsd5SoGWmECeeJrsSoA3TqcxL

  Score

  10^/10

  darkcometdiscoverypersistencerattrojanvmprotect

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • VMProtect packed file

    Detects executables packed with VMProtect commercial packer.

    vmprotect

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2