MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 18


Intelligence 18 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
SHA3-384 hash: 2b7d23cdb0c74d95cdef13ab8a2a57d98c1617b2ac79f1912f2da8eb36bb2e7c48f1accd16e39a5ae7ad2d973057ccc2
SHA1 hash: 8124ac83f3188bc856486fb2c5284fadd73bc991
MD5 hash: a5e45231ac569973154a0098227affa0
humanhash: bacon-july-kitten-india
File name:svchost.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:2'590'208 bytes
First seen:2025-11-23 09:39:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d617e643d715888a08eb0e79581244c (8 x DarkComet)
ssdeep 49152:dQDgok30Pn+9nUW6z/8StAA3qnE3cgka5mpLS+Mnoga:dQU/kn+h2KE3bmxGno
Threatray 370 similar samples on MalwareBazaar
TLSH T165C5E030F180A47FDC6635F48C5A88B554167E262E26250B35F73E0C9E3E283EE565AF
TrID 29.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
22.2% (.EXE) Win64 Executable (generic) (10522/11/4)
21.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
9.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.3% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:DarkComet exe upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
File size (compressed) :2'321'920 bytes
File size (de-compressed) :2'590'208 bytes
Format:win32/pe
Packed file: 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
darkcomet
Create hunting rule
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2025-11-23 23:04:57 UTC
Tags:
auto-reg darkcomet rat delphi
Link:
https://app.any.run/tasks/5ab97134-908a-4796-a299-84c2831b3a4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41027/
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Win.Adware.Downware-535
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 borland_delphi coinminer crypt darkcomet darkcomet evasive explorer fingerprint installer-heuristic keylogger lolbin obfuscated packed
Link:
https://www.filescan.io/uploads/6922e47f6c89728b9825ed70/reports/05453048-78ef-4556-a640-f59f521dc6ea/overview
Verdict:
Malicious
Labled as:
Backdoor.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
Result
Gathering data
Result
Threat name:
DarkComet, Nitol
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1819382
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Disables the Windows registry editor (regedit)
Drops PE files with benign system names
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive USB information (via WMI, WIN32_USBHUB, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkComet
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1819382 Sample: svchost.exe Startdate: 23/11/2025 Architecture: WINDOWS Score: 100 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 16 other signatures 2->79 8 svchost.exe 1 5 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        process3 file4 65 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 8->65 dropped 67 C:\Users\user\AppData\...\WIN 10 TWEAKER.EXE, PE32 8->67 dropped 69 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 8->69 dropped 93 Creates an undocumented autostart registry key 8->93 95 Contains functionality to inject code into remote processes 8->95 97 Contains functionality to register a low level keyboard hook 8->97 99 4 other signatures 8->99 18 svchost.exe 1 3 8->18         started        22 WIN 10 TWEAKER.EXE 4 19 8->22         started        24 cmd.exe 1 8->24         started        26 2 other processes 8->26 signatures5 process6 dnsIp7 71 10.0.2.15, 27015 unknown unknown 18->71 81 Antivirus detection for dropped file 18->81 83 System process connects to network (likely due to code injection or exploit) 18->83 85 Multi AV Scanner detection for dropped file 18->85 91 5 other signatures 18->91 28 notepad.exe 18->28         started        30 cmd.exe 22->30         started        33 powershell.exe 22->33         started        35 cmd.exe 22->35         started        45 2 other processes 22->45 87 Uses cmd line tools excessively to alter registry or file data 24->87 37 conhost.exe 24->37         started        39 attrib.exe 1 24->39         started        89 Deletes itself after installation 26->89 41 conhost.exe 26->41         started        43 attrib.exe 1 26->43         started        signatures8 process9 signatures10 101 Uses schtasks.exe or at.exe to add and modify task schedules 30->101 103 Uses netsh to modify the Windows network and firewall settings 30->103 47 conhost.exe 30->47         started        49 chcp.com 30->49         started        51 compact.exe 30->51         started        105 Loading BitLocker PowerShell Module 33->105 53 conhost.exe 33->53         started        55 conhost.exe 35->55         started        57 chcp.com 35->57         started        59 schtasks.exe 35->59         started        61 conhost.exe 45->61         started        63 4 other processes 45->63 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
Verdict:
inconclusive
YARA:
8 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 1.00 Win 32 Exe x86
Link:
https://app.malva.re/file/a5e45231ac569973154a0098227affa0
Detection:
darkcomet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 09:47:29 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jewfkyrkwkhvksnfgyckiuswcmtivinllsuzzpdks2oy4odtg7ya._file
Verdict:
malicious
Label(s):
darkcomet
Create hunting rule
Similar samples:
0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
DarkComet
0cbf9454358f9770b1165a1e8df830d359d513ececa0e4adef67bfa3f0545a0d
DarkComet
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
DarkComet
90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
DarkComet
error
DarkComet
+ 360 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:minecraft defense_evasion discovery persistence ransomware rat trojan
Link:
https://tria.ge/reports/251123-mrhn7stqh1/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
ConfuserEx .NET packer
Adds Run key to start application
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Disables RegEdit via registry modification
Sets file to hidden
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
10.0.2.15:27015
127.0.0.1:27015
Verdict:
Malicious
Tags:
keylogger rat darkcomet Win.Trojan.DarkKomet-1
YARA:
Malware_QA_update Windows_Trojan_Darkcomet_1df27bcc RAT_DarkComet MALWARE_Win_DarkComet
Link:
https://app.threat.zone/submission/ac448771-ad95-41c8-9f92-123c456938af
Unpacked files
SH256 hash:
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
MD5 hash:
a5e45231ac569973154a0098227affa0
SHA1 hash:
8124ac83f3188bc856486fb2c5284fadd73bc991
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_a0
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Malware_QA_update
Create hunting rule
RAT_DarkComet
Create hunting rule
check_installed_software
Create hunting rule
MALWARE_Win_DarkComet
Create hunting rule
Link:
https://www.unpac.me/results/21d92dcd-0771-435c-9352-946c08867057/
Parent samples :
36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
SH256 hash:
4699aa21b59fbcb537f698a44997ed1f696c5abf16050bd69eca37d94f0f6763
MD5 hash:
6b151348c0584531392348f73268076c
SHA1 hash:
194e3d11e0bd9744ac08d42acf03652e387cc76c
Link:
https://www.unpac.me/results/21d92dcd-0771-435c-9352-946c08867057/
SH256 hash:
37efc662cbcd228df1d4f21f272509d8a88088bef5c1980a08cbc6bdfe00e69b
MD5 hash:
6229107e317a0bcd622da4b66b8ca67f
SHA1 hash:
39fcfc30ceb98ab068e822f0af34c547abdef8ba
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/21d92dcd-0771-435c-9352-946c08867057/
Parent samples :
36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
SH256 hash:
9d289a0a025112cf56918680d623e53afcf5131ba738ab0006cb74ae4fbd97fb
MD5 hash:
2474b9c6c1ca4e04c79120889d852521
SHA1 hash:
8acc4889a4d6989c188c4104443802cab940ad01
Link:
https://www.unpac.me/results/21d92dcd-0771-435c-9352-946c08867057/
SH256 hash:
d6079b7304556f67c0476d0035852fd2fc28baf697620366aef2c1aa858bb2c4
MD5 hash:
0efe17a6f977c20502e335341ca07b89
SHA1 hash:
cffd7bd165e2d598866f1a128cd7081f552c69a7
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/21d92dcd-0771-435c-9352-946c08867057/
Parent samples :
36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/492c55622ab2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:darkcomet_v1
Create hunting rule
Author:RandomMalware
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_DarkComet
Create hunting rule
Author:ditekSHen
Description:Detects DarkComet
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:Windows_Trojan_Darkcomet_1df27bcc
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkComet

Executable exe 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1

DarkComet

Executable exe 492c55622ab28f5549a53604a4525613268aa1ab5ca99cbc6a969d8e387337f0

(this sample)

  
Dropped by
SHA256 36501ff706eae486b28125c1a165f3227bb22104b0f7ed832120cad36ea8caa1
  
Dropped by
MD5 3073247e9aaea05d369730f762e080c0
Cape
Cape
https://www.capesandbox.com/analysis/41027/

Comments