MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
SHA3-384 hash: 88e17aab08a3488f6848179e3eeb8174b1d7b78c4764d32d56832fdbe89838b39f9cd8144da4096f44c81c96066e39a6
SHA1 hash: b01ec370b3571d70a2d111f35d5514cc7a18d422
MD5 hash: 34960f869aa933675a70c0c7c17addfe
humanhash: fanta-mango-vegan-undress
File name:gfrhtdrfhdfgh.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:673'280 bytes
First seen:2022-09-18 15:46:38 UTC
Last seen:2022-09-18 15:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e5b4359a3773764a372173074ae9b6bd (60 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep 12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:iZ1xuVVjfFoynPaVBUR8f+kN10EB
Threatray 250 similar samples on MalwareBazaar
TLSH T18BE48E31F1808837D97219789C5F92E6982A7E202E39754B3AE62F4C5F3D6C239193D7
TrID 20.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
18.7% (.SCR) Windows screen saver (13101/52/3)
15.0% (.EXE) Win64 Executable (generic) (10523/12/4)
14.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
9.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter amogos123512
Tags:DarkComet exe Virus


Avatar
amogos123512
ftrgjrtdhgdfg

Intelligence

File Origin
# of uploads :
2
# of downloads :
563
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2_5258383010872428889.exe
Verdict:
No threats detected
Analysis date:
2020-04-21 12:48:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/639dffbf-b94b-4d03-8720-43653088dc09

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311101/
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Malware.Agent-6396039-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Trojan.Barys-9799359-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
67%
Tags:
anti-vm darkcomet darkkomet explorer.exe fingerprint graybird greyware keylogger rat shell32.dll virus windows
Link:
https://www.filescan.io/uploads/63273d7e1183046074b079d7/reports/5438dd3c-f06c-40cc-a790-e7ca90b45b02/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c4b4530-ae43-4192-9651-e912b8b92c5f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.rans.spyw.
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/30828
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2/
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2012-06-09 12:13:00 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=snbthh5n7yhwfvx5i3dbghwz7xybs6gyc4mstbhgtkf35t5ua3ja._file
Verdict:
malicious
Similar samples:
288e97d97b9708e5c4d7a57b04ce9fc5b852e75c1945ad5378562d810a2f52af
DarkComet
94ff10c934c9adb1ed0cae745ce47859abe48403d9cff5fd01bc34c10fabe4f0
DarkComet
c7786e3cb22e7a6794d63cd9858ac55429f2bc4942769bcc94ded89ca4f9f0fa
DarkComet
daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497
DarkComet
f848632cde166bb8288dfc4478c0b76c9026880d8fbb272e9ea91fdbc4ed6b65
DarkComet
fa4b3d8ef845584fe46759cc00c0dd7bd1c2d99e228ed888c6f1d275f52a288a
DarkComet
+ 240 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet
Link:
https://tria.ge/reports/220918-s77k6abdg5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62f1f5f4-f5d2-4219-870f-a739dc33cea9
Unpacked files
SH256 hash:
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
MD5 hash:
34960f869aa933675a70c0c7c17addfe
SHA1 hash:
b01ec370b3571d70a2d111f35d5514cc7a18d422
Detections:
win_darkcomet_a0
Create hunting rule
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/11b86d2e-387d-40af-908d-478c71d69b11/
Parent samples :
55788187a18d12723bbba31b170c83008999a405625ea9f5525d6f655ad2d565
27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9343339fadfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_DarkComet
Create hunting rule
Author:ditekSHen
Description:Detects DarkComet
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/311101/

Comments