MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f
SHA3-384 hash: 354e01295dfbb74d1677c9f1081a55c04b562640b43d7fc0ca58306776661768bb6d7bed1fc9ad7a624ec0cbc72da6d8
SHA1 hash: 2784038e702ea56c70b56d0ba2dab6dac5512746
MD5 hash: a49f8963a4c3949b06e4301caa2de435
humanhash: undress-kentucky-artist-gee
File name:074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f
Download: download sample
Signature DarkComet
Create hunting rule
File size:325'632 bytes
First seen:2021-08-31 06:52:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep 6144:DcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37yJh:DcW7KEZlPzCy37E
Threatray 125 similar samples on MalwareBazaar
TLSH T1D364F0D16A8CDBE3DF7B19F80534463B7B142EEE9D9D8E412610F2786CF0C4116CA699
dhash icon 71cc96aa928ecc71 (1 x DarkComet)
Reporter JAMESWT_WT
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
829
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f
Verdict:
Malicious activity
Analysis date:
2021-08-31 07:25:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57bf9a86-334f-40bd-a853-da134f16b8f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184053/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Darkkomet-6745294-0
Create hunting rule

Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Setting a keyboard event handler
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Blocking the User Account Control
Enabling autorun
Unauthorized injection to a system process
Deleting of the original file
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec5798ec-7e2a-4c9d-a534-feda89644621
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842313
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Disables windows user account control
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474744 Sample: OGGK3bhHPs Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 10 other signatures 2->61 7 OGGK3bhHPs.exe 1 4 2->7         started        11 updater.exe 1 2->11         started        13 updater.exe 1 2->13         started        process3 file4 35 C:\ProgramData\Microsoft\...\updater.exe, PE32 7->35 dropped 37 C:\...\updater.exe:Zone.Identifier, ASCII 7->37 dropped 63 Creates an undocumented autostart registry key 7->63 65 Contains functionality to capture and log keystrokes 7->65 67 Contains functionality to log keystrokes 7->67 69 3 other signatures 7->69 15 updater.exe 3 3 7->15         started        19 cmd.exe 1 7->19         started        21 cmd.exe 1 7->21         started        23 notepad.exe 7->23         started        signatures5 process6 dnsIp7 39 185.29.120.189, 1604, 49731, 49736 AS43260TR Turkey 15->39 41 127.0.0.1 unknown unknown 15->41 43 Writes to foreign memory regions 15->43 45 Allocates memory in foreign processes 15->45 47 Disables UAC (registry) 15->47 53 5 other signatures 15->53 25 notepad.exe 15->25         started        49 Uses cmd line tools excessively to alter registry or file data 19->49 27 conhost.exe 19->27         started        29 attrib.exe 1 19->29         started        31 conhost.exe 21->31         started        33 attrib.exe 1 21->33         started        51 Deletes itself after installation 23->51 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 00:29:06 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
43 of 46 (93.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5azhzqderrzc3gkkieldxkov2tvrx5uc2cirbby4aompsf7pfpq._file
Verdict:
malicious
Similar samples:
113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
DarkComet
5cd8924328a7410215c895cd0de484846df13d583e15650ded75ba62b88c17d0
DarkComet
60134cb1f167c3d639e293f98e60eb794227b258966196b5cbdeb6e4baa5ad9e
DarkComet
76f3f11f6edda541fc77ef2354e5f199db8c5513b3ccf55d62dd7d64b58850c4
DarkComet
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853
DarkComet
856bcc47f2c9617ed7e2c5f702dc5cea6713713da600229b2db076d64f24dfdf
DarkComet
8e958f6607d7071280237e933f588829fdd6dcf197064e951124bd07318ad9ee
DarkComet
8ede23556115292a84dac51f8542b37e33bf621b963791cd77017c3263c31952
DarkComet
da0a4e16ef4baf46f27e666e9b4547cdf17eafad3caa235df6c29a52d3da8d0a
DarkComet
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
DarkComet
+ 115 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan upx
Link:
https://tria.ge/reports/210831-nypwzzvm8e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Deletes itself
Loads dropped DLL
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Sets file to hidden
UPX packed file
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
9d05eb381c6e21b36c720b02cf48019ada67c029468b05f6aaaeee12a9fffe26
MD5 hash:
343726e33afc7a951c5e9075a178b608
SHA1 hash:
df3aefa08e35b55fade041ad740ae76b9cae6408
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/c0d61611-2d14-47d3-ab22-4b21ce3c9243/
SH256 hash:
074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f
MD5 hash:
a49f8963a4c3949b06e4301caa2de435
SHA1 hash:
2784038e702ea56c70b56d0ba2dab6dac5512746
Detections:
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/c0d61611-2d14-47d3-ab22-4b21ce3c9243/
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/074193e60324/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/074193e6032463916cca5208b1dd4eaea758dfb41684888438e01cc7c8bf795f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:ProjectM_DarkComet_1
Create hunting rule
Author:Florian Roth
Description:Detects ProjectM Malware
Reference:http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184053/

Comments