MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
SHA3-384 hash: 0956a5f7cbced5c59f93035e7cee0080b4a7c65c888ced0f4957cd6b0174c37ea485823930bd64b603b94b2badb1c072
SHA1 hash: 54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e
MD5 hash: a95e3e4dbedcc98e826cc682ef8b3fd6
humanhash: illinois-uranus-alabama-gee
File name:6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe
Download: download sample
Signature njrat
Create hunting rule
File size:357'888 bytes
First seen:2022-07-26 09:27:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep 6144:+cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37PcAA:+cW7KEZlPzCy37
TLSH T14174BFB2AE524D72C94C79F5A31950E01B1C3E9FA1DC876216B8330530B99B7CE76B2D
TrID 39.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
6.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
2.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 19192167d3ebeb67 (2 x njrat, 1 x QuasarRAT)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
95.104.60.114:5552

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.104.60.114:5552 https://threatfox.abuse.ch/ioc/839637/

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/294229/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Darkkomet-6745294-0
Create hunting rule

Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for analyzed file
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Firewall traversal
Blocking the User Account Control
Blocking the Windows Security Center notifications
Blocking the Windows Security Center launch
Enabling autorun
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27468/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
darkcomet packed shell32.dll
Link:
https://www.filescan.io/uploads/62dfb3c0cfc30516768d495c/reports/12b4d667-4ae6-452f-a81f-b46b4329b594/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f36cbf35-9061-4d7a-a36b-6d520eaacbd9
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040933
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Deletes itself after installation
Disables UAC (registry)
Disables windows user account control
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses shutdown.exe to shutdown or reboot the system
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 673423 Sample: 6AAA5A53455217AB61FAEB5F0F5... Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 5 other signatures 2->68 8 6AAA5A53455217AB61FAEB5F0F57FB643F594AF50AE61.exe 1 4 2->8         started        12 explorer.exe 1 2->12         started        14 explorer.exe 1 2->14         started        process3 file4 42 C:\Users\user\AppData\...\explorer.exe, PE32 8->42 dropped 44 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 8->44 dropped 70 Creates an undocumented autostart registry key 8->70 72 Contains functionalty to change the wallpaper 8->72 74 Contains functionality to capture and log keystrokes 8->74 76 5 other signatures 8->76 16 explorer.exe 3 3 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        24 notepad.exe 8->24         started        signatures5 process6 dnsIp7 46 kvejo991.ddns.net 95.104.60.114, 1604, 49751, 49821 MAGTICOMASCaucasus-OnlineGE Georgia 16->46 48 Antivirus detection for dropped file 16->48 50 System process connects to network (likely due to code injection or exploit) 16->50 52 Multi AV Scanner detection for dropped file 16->52 60 12 other signatures 16->60 26 cmd.exe 1 16->26         started        28 notepad.exe 16->28         started        54 Uses cmd line tools excessively to alter registry or file data 20->54 56 Uses shutdown.exe to shutdown or reboot the system 20->56 30 conhost.exe 20->30         started        32 attrib.exe 1 20->32         started        34 conhost.exe 22->34         started        36 attrib.exe 1 22->36         started        58 Deletes itself after installation 24->58 signatures8 process9 process10 38 conhost.exe 26->38         started        40 shutdown.exe 1 26->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2022-07-24 23:49:00 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkvfuu2fkil2wyp25npq6v73mq7vssxvbltbgj25wuubdhr7g4kq._file
Verdict:
malicious
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:22 evasion persistence rat trojan upx
Link:
https://tria.ge/reports/220726-lfbwvabef8/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Deletes itself
Loads dropped DLL
Windows security modification
Executes dropped EXE
Sets file to hidden
UPX packed file
Darkcomet
Modifies WinLogon for persistence
Modifies firewall policy service
Modifies security service
Windows security bypass
Malware Config
C2 Extraction:
kvejo991.ddns.net:1604
Unpacked files
SH256 hash:
8eace85e936cf66c65cb55c09d24e0717d0b1467700a96673dc741eb3f9d67a5
MD5 hash:
e20b2f0ac463f528581ffe3c1448d7cd
SHA1 hash:
6f7be6948692928d78e322b52c9c946d5f23b020
Detections:
win_darkcomet_a0
Create hunting rule
Link:
https://www.unpac.me/results/1a636dcc-05b6-4516-9adf-2b90ecd631e4/
SH256 hash:
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
MD5 hash:
a95e3e4dbedcc98e826cc682ef8b3fd6
SHA1 hash:
54008e19ea4b5b4a452905fa5f7d78b3ecfbfe6e
Detections:
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/1a636dcc-05b6-4516-9adf-2b90ecd631e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_DarkComet
Create hunting rule
Author:ditekSHen
Description:Detects DarkComet
Rule name:ProjectM_DarkComet_1
Create hunting rule
Author:Florian Roth
Description:Detects ProjectM Malware
Reference:http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/
Rule name:ProjectM_DarkComet_1_RID2E9E
Create hunting rule
Author:Florian Roth
Description:Detects ProjectM Malware
Reference:http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/294229/

Comments