MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 806edea6dcd7aba5324f6a3c9f1f9f84e80baf0667e76d0c1e44ffefbc0655b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 806edea6dcd7aba5324f6a3c9f1f9f84e80baf0667e76d0c1e44ffefbc0655b1
SHA3-384 hash: d4272b90149bc491abe98e74dcc5c3dcde05c87117e3aba1831fdfefce16dbb63a7b1c34823e9cf2dada02533de0068f
SHA1 hash: a2a9d35ae6718bff63e81b86882c9c76f936e57e
MD5 hash: 5e531c622d9004cb6305a246fa02dc0b
humanhash: moon-pizza-papa-berlin
File name:RmPmm9sw.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:257'536 bytes
First seen:2020-03-28 13:13:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a38ad86d74cafc45094a5085e33419e4 (108 x DarkComet, 1 x njrat)
ssdeep 6144:/cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:/cW7KEZlPzCy37
Threatray 1'029 similar samples on MalwareBazaar
TLSH A64422A5BBC59C43FAFEAEFC064D0F145B05339F1AEE82619F34024831A6A96135363D
Reporter johannes
Tags:DarkComet


Avatar
viql
darkcomet via https://pastebin.com/raw/RmPmm9sw

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Darkkomet-6745294-0
Create hunting rule

Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2020-03-28 13:35:24 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbxn5jw426v2kmspni6j6h47qtuaxlygm7tw2da6it767pagkwyq._file
Verdict:
malicious
Similar samples:
069c2e6f7dbaf794feb28bc32d90db33d030b6169c3a21133f5ad5cadf081c1b
DarkComet
0e659c7f42d4e96e05821b1df99216e5887904ada083fd61c6f77b9628a7890c
DarkComet
1ba1a86e6f5e0e1e2f1a596018465345a90822163264c05647e8155edb88ce64
DarkComet
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
DarkComet
4f8130693067523c153d09b000e48e744ca3b86388221a840349746ea6e561df
DarkComet
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
DarkComet
8ea8ef6c916a4559dde761c0373d4cd662af71e00140b6be6ddf38e3c2e38b76
DarkComet
a6184cc11ae5e53a2c52fc668690561b0ed9b7217e0ff7c0b236bce30fba1da3
DarkComet
ad5d194018074784d3a8ac9aa334d5b0b4c8ec9fe721ba7870ef054e29d4529d
DarkComet
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
DarkComet
+ 1'019 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_darkcomet_g0
Create hunting rule
Author:Kevin Breen / Jean-Philippe Teissier / botherder / Florian Roth / David Cannings / Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://pastebin.com/raw/RmPmm9sw

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::IsValidSid
MULTIMEDIA_APICan Play Multimediamsacm32.dll::acmStreamSize
AVICAP32.DLL::capGetDriverDescriptionA
winmm.dll::waveInOpen
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::URLDownloadToFileA
WIN_BASE_APIUses Win Base APIntdll.dll::NtQuerySystemInformation
KERNEL32.DLL::LoadLibraryA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.DLL::WSAIoctl

Comments