MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 17

Intelligence 17 IOCs YARA 10 File information Comments

SHA256 hash:	36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
SHA3-384 hash:	859762ac6dc4a382d885e6275000e28e768488e247fc24a4a4db994aa977b47c84b0060002c0c2b79261a689b95419d4
SHA1 hash:	2eeea698b27225fa74de0ad54621939d830073f3
MD5 hash:	3073247e9aaea05d369730f762e080c0
humanhash:	ack-seven-sierra-quebec
File name:	svchost.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	2'321'920 bytes
First seen:	2025-11-23 09:20:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep	49152:7iRne11j6bgulONn1LS4JtYDGgnjba/c9Hi8fXSE1kICPOLBfkBKv:7iY11ekusi39vYEH7fD1nCPOd8BK
TLSH	T1BDB51260E182E8B4F49639F5482DF8A001473D5A98B1252E2C7EF66951B33D3EDE790F
TrID	40.8% (.EXE) UPX compressed Win32 Executable (27066/9/6) 40.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 6.7% (.EXE) Win32 Executable (generic) (4504/4/1) 3.1% (.EXE) Win16/32 Executable Delphi generic (2072/23) 3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Hexastrike
Tags:	DarkComet exe UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	2'321'920 bytes
File size (de-compressed) :	2'590'208 bytes
Format:	win32/pe
Unpacked file:	492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

darkcomet

ID:

File name:

svchost.exe

Verdict:

Malicious activity

Analysis date:

2025-11-23 13:25:28 UTC

Tags:

auto-reg darkcomet upx delphi rat

Link:

https://app.any.run/tasks/4967bddb-0f2a-4f31-a7db-e34624e8397b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/40286/

Detection(s):

Win.Trojan.Darkkomet-6745294-0

Win.Trojan.DarkKomet-1

Win.Trojan.Darkkomet-7113180-0

Win.Dropper.Zeus-9820070-0

Win.Dropper.Darkkomet-9857869-0

Win.Trojan.Darkkomet-9857871-0

Win.Malware.Darkkomet-9857872-0

Win.Trojan.Darkkomet-6745084-0

PUA.Win.Packer.UpxProtector-1

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922d7e0b6ee81118d2c9894

Tags:

darkkomet emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %AppData% subdirectories

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi darkcomet darkcomet fingerprint keylogger overlay packed packed packed packed upx

Link:

https://www.filescan.io/uploads/6922d570f96b58f0dc80b101/reports/b1864b44-ac88-4e9d-a821-01b7af7205ab/overview

Verdict:

Malicious

Labled as:

Backdoor.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/3073247e9aaea05d369730f762e080c0

Detection:

darkcomet

Link:

https://mwdb.cert.pl/sample/36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2025-11-23 01:55:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 36 (94.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gzib75yg5lsinmubexa2czptej53eiiewd363azbedfng3vizkqq._file

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:minecraft defense_evasion discovery persistence ransomware rat trojan upx

Link:

https://tria.ge/reports/251123-lkpy9ssqgz/

Behaviour

Checks processor information in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Windows directory

ConfuserEx .NET packer

UPX packed file

Adds Run key to start application

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Disables RegEdit via registry modification

Sets file to hidden

Darkcomet

Darkcomet family

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

10.0.2.15:27015
127.0.0.1:27015

Verdict:

Malicious

Tags:

apt darkcomet Win.Trojan.Darkkomet-6745294-0

YARA:

ProjectM_DarkComet_1

Link:

https://app.threat.zone/submission/04bee34f-5580-4faa-9bea-97c7acb228cb

Unpacked files

SH256 hash:

36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

MD5 hash:

3073247e9aaea05d369730f762e080c0

SHA1 hash:

2eeea698b27225fa74de0ad54621939d830073f3

Detections:

win_darkcomet_g0

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

SH256 hash:

492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

MD5 hash:

a5e45231ac569973154a0098227affa0

SHA1 hash:

8124ac83f3188bc856486fb2c5284fadd73bc991

Detections:

win_darkcomet_g0

win_darkcomet_a0

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Malware_QA_update

RAT_DarkComet

check_installed_software

MALWARE_Win_DarkComet

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

Parent samples :

36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

SH256 hash:

17938e0c5438006fd9bfce2291f11545619f00d4ef459d6c851e419c321d61f4

MD5 hash:

917809bce1896390c0bba246ff481c48

SHA1 hash:

53e74f8311ee2f78e0b26e2fbb6f7cf9f3e9b350

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

SH256 hash:

4699aa21b59fbcb537f698a44997ed1f696c5abf16050bd69eca37d94f0f6763

MD5 hash:

6b151348c0584531392348f73268076c

SHA1 hash:

194e3d11e0bd9744ac08d42acf03652e387cc76c

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

SH256 hash:

37efc662cbcd228df1d4f21f272509d8a88088bef5c1980a08cbc6bdfe00e69b

MD5 hash:

6229107e317a0bcd622da4b66b8ca67f

SHA1 hash:

39fcfc30ceb98ab068e822f0af34c547abdef8ba

Detections:

INDICATOR_EXE_Packed_ConfuserEx

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

Parent samples :

36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

SH256 hash:

d6079b7304556f67c0476d0035852fd2fc28baf697620366aef2c1aa858bb2c4

MD5 hash:

0efe17a6f977c20502e335341ca07b89

SHA1 hash:

cffd7bd165e2d598866f1a128cd7081f552c69a7

Detections:

INDICATOR_EXE_Packed_ConfuserEx

Link:

https://www.unpac.me/results/743a5a33-3c6c-4fa6-80f5-7c7a6feabed8/

Parent samples :

36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/36501ff706ea/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProjectM_DarkComet_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects ProjectM Malware
Reference:	http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Rule name:	ProjectM_DarkComet_1_RID2E9E Create hunting rule
Author:	Florian Roth
Description:	Detects ProjectM Malware
Reference:	http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Rule name:	UPX20030XMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXProtectorv10x2 Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkComet

exe 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

(this sample)

DarkComet

exe 492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

Cape

https://www.capesandbox.com/analysis/40286/

Dropping

SHA256 492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

Dropping

MD5 a5e45231ac569973154a0098227affa0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample