MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 20


Intelligence 20 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
SHA3-384 hash: 635280596a661811daf3966635497a46147452b0067e8a4a194b2c99fb434cf7fe5b2cb8bedf70f30f3e5e6fcf532fbd
SHA1 hash: 0dd8c542fd46dd5b55eefcf35382ee8903533703
MD5 hash: 1b540a732f2d75c895e034c56813676a
humanhash: twenty-winner-avocado-jupiter
File name:jPWRwWFD.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:674'816 bytes
First seen:2024-09-09 19:02:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d617e643d715888a08eb0e79581244c (8 x DarkComet)
ssdeep 12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/C:uZ1xuVVjfFoynPaVBUR8f+kN10Ed
Threatray 328 similar samples on MalwareBazaar
TLSH T1D3E46D31F5808837DD721A789C5B81E698267E212E39754B3BE62F0C5F3D6C2391A2D7
TrID 51.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
9.4% (.EXE) Win64 Executable (generic) (10523/12/4)
8.9% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter pmelson
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
491
Origin country :
US US
Vendor Threat Intelligence
Malware family:
darkcomet
Create hunting rule
ID:
1
File name:
jPWRwWFD.exe
Verdict:
Malicious activity
Analysis date:
2024-09-09 19:05:11 UTC
Tags:
darkcomet
Link:
https://app.any.run/tasks/7f5f43ce-f9db-405a-8e4c-17e7bd3bfc19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66df4668751db35a8b9f5ee4
Tags:
Execution Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm borland_delphi darkcomet evasive explorer fingerprint keylogger lolbin rat remote shell32
Link:
https://www.filescan.io/uploads/66df46683217f3984dcfc338/reports/6b25e72f-b7ee-407d-97f8-3c02afa9a647/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4239ec79-dae7-4894-8728-0a032894d016
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508215
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops PE files to the document folder of the user
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1508215 Sample: jPWRwWFD.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 40 8.tcp.eu.ngrok.io 2->40 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 4 other signatures 2->58 8 jPWRwWFD.exe 1 4 2->8         started        12 msdcsc.exe 2->12         started        14 msdcsc.exe 2->14         started        signatures3 process4 file5 34 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 8->34 dropped 36 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 8->36 dropped 60 Drops PE files to the document folder of the user 8->60 62 Creates an undocumented autostart registry key 8->62 16 msdcsc.exe 3 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        signatures6 process7 dnsIp8 38 8.tcp.eu.ngrok.io 52.59.102.101, 27791, 49699 AMAZON-02US United States 16->38 42 Antivirus detection for dropped file 16->42 44 Multi AV Scanner detection for dropped file 16->44 46 Machine Learning detection for dropped file 16->46 50 4 other signatures 16->50 24 notepad.exe 5 16->24         started        48 Uses cmd line tools excessively to alter registry or file data 20->48 26 conhost.exe 20->26         started        28 attrib.exe 1 20->28         started        30 conhost.exe 22->30         started        32 attrib.exe 1 22->32         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
Detection:
darkcomet
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1/
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2024-09-09 19:03:05 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdj5xywivzdls4fimx2zpuernchhybghrbvb5quh4s32b5pc7tyq._file
Verdict:
malicious
Similar samples:
0824eac1ce23de2321bce82efce874ab3c213d15f1a120d8ec08c85c7fbc250b
DarkComet
0cbf9454358f9770b1165a1e8df830d359d513ececa0e4adef67bfa3f0545a0d
DarkComet
6aaa5a53455217ab61faeb5f0f57fb643f594af50ae613275db528119e3f3715
DarkComet
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
DarkComet
bd58067c39932b971f15ac3f3dbbd8d9ebfea5629f058e919535ca02b89f0389
DarkComet
cafe8d935b3afac2695aca899b702c039c97cd1c4fbbc67f2ea80ec5e1808c09
DarkComet
fa4b3d8ef845584fe46759cc00c0dd7bd1c2d99e228ed888c6f1d275f52a288a
DarkComet
+ 318 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:sazan discovery evasion persistence rat trojan
Link:
https://tria.ge/reports/240909-xqcfxavaqm/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
8.tcp.eu.ngrok.io:27791
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9a18429-034c-41cd-9b1f-fb8fc79d212f
Unpacked files
SH256 hash:
90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
MD5 hash:
1b540a732f2d75c895e034c56813676a
SHA1 hash:
0dd8c542fd46dd5b55eefcf35382ee8903533703
Detections:
win_darkcomet_auto
Create hunting rule
win_darkcomet_a0
Create hunting rule
win_darkcomet_g0
Create hunting rule
RAT_DarkComet
Create hunting rule
Malware_QA_update
Create hunting rule
Link:
https://www.unpac.me/results/54c7eb15-ec17-4df5-8718-5294a1d67be5/
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/90d3dbe2c8ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkComet

Executable exe 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1

(this sample)

  
Link
https://www.virustotal.com/gui/file/90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1/detection
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::GetSidSubAuthorityCount
advapi32.dll::GetSidSubAuthority
advapi32.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play Multimediamsacm32.dll::acmStreamClose
msacm32.dll::acmStreamConvert
msacm32.dll::acmStreamOpen
msacm32.dll::acmStreamPrepareHeader
msacm32.dll::acmStreamReset
msacm32.dll::acmStreamSize
NET_SHARE_APICan access Network Sharenetapi32.dll::NetShareEnum
netapi32.dll::NetShareGetInfo
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetSidIdentifierAuthority
advapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHFileOperationA
shell32.dll::SHGetFileInfoA
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CreateRemoteThread
KERNEL32.DLL::CreateProcessA
KERNEL32.DLL::OpenProcess
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
KERNEL32.DLL::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
ntdll.dll::NtQuerySystemInformation
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::LoadLibraryExA
KERNEL32.DLL::GetDriveTypeA
KERNEL32.DLL::GetVolumeInformationA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WinExec
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
KERNEL32.DLL::CreateDirectoryA
KERNEL32.DLL::CreateFileMappingA
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupAccountSidA
advapi32.dll::LookupPrivilegeDisplayNameA
advapi32.dll::LookupPrivilegeNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegCreateKeyA
advapi32.dll::RegDeleteKeyA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegOpenKeyA
advapi32.dll::RegQueryInfoKeyA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.DLL::WSAIoctl
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::ControlService
advapi32.dll::CreateServiceA
advapi32.dll::OpenSCManagerA
advapi32.dll::OpenServiceA
advapi32.dll::QueryServiceStatus
advapi32.dll::StartServiceA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExA
user32.dll::FindWindowA
user32.dll::LockWorkStation

Comments