MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9429ef640e67c9106bf05567d9a68b9600d2a78db68d95c86e38935639d70f4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	9429ef640e67c9106bf05567d9a68b9600d2a78db68d95c86e38935639d70f4a
SHA3-384 hash:	53b013a69f13c2162b35e47bbd0f9198c654afc96df662cb614fa76a0eb9d2dc3aa12c6e488792c83c24b27fd20ba6d2
SHA1 hash:	513f0873487f9d6cd99b90c5371f0c022d31f40d
MD5 hash:	d4d4a40d88061185f3f89414f7b2fd9a
humanhash:	massachusetts-snake-north-east
File name:	MSRSAAP.EXE
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	673'792 bytes
First seen:	2022-04-23 19:31:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8033c11f8a2fdfc317e8655120579933 (8 x DarkComet)
ssdeep	12288:O9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFH:aiBIGkbxqEcjsWiDxguehC2S8
Threatray	198 similar samples on MalwareBazaar
TLSH	T196E48E31F2808837D9721A788C5B92E5943A7E202E39754B76E62F4C5F3D6C239263D7
TrID	20.2% (.EXE) Win32 Executable Delphi generic (14182/79/4) 18.7% (.SCR) Windows screen saver (13101/52/3) 15.0% (.EXE) Win64 Executable (generic) (10523/12/4) 14.2% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 9.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	adm1n_usa32
Tags:	DarkComet DarkKomet exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

630

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

darkcomet

ID:

File name:

MSRSAAP.EXE

Verdict:

Malicious activity

Analysis date:

2022-04-23 19:29:41 UTC

Tags:

darkcomet

Link:

https://app.any.run/tasks/27192fbb-97a1-4440-b508-286290390455

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/266095/

Detection(s):

PUA.Win.Packer.Exe-6

Win.Trojan.DarkKomet-1

Win.Trojan.Darkkomet-7113180-0

Win.Dropper.Zeus-9820070-0

Win.Trojan.Darkkomet-9857871-0

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

Win.Trojan.Darkkomet-6745084-0

Win.Trojan.Vobfus-6875610-0

Win.Trojan.Agent-1242065

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Setting a keyboard event handler

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe control.exe darkcomet darkkomet explorer.exe graybird greyware keylogger pontoeb rat remote.exe

Link:

https://www.filescan.io/uploads/626454396541a10d00a8c9b5/reports/282d25bd-125b-44e3-9a66-e52257773e27/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00ffcd54-4182-45a7-87ce-c5edd9add3d5

Result

Threat name:

Darkcomet

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/981901

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes

Contains functionalty to change the wallpaper

Detected Darkcomet RAT

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9429ef640e67c9106bf05567d9a68b9600d2a78db68d95c86e38935639d70f4a/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2019-05-11 01:41:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Verdict:

malicious

DarkComet

7118c3db49b6e9278fb34a7696089f4f44f3b8ae4cb85083af64ea2100c5e716

DarkComet

94ff10c934c9adb1ed0cae745ce47859abe48403d9cff5fd01bc34c10fabe4f0

DarkComet

b0eb4ce85592a82923a653f90e19f3827bbdf1a0ea1666e82701dde9a16edd6c

DarkComet

cee4e670f5caa5f4da865a0d00549f261382aa383c0debc1f7a4d0cd183ddd9e

DarkComet

f39cf76bea672912a70974a84cf6ce37188014dc1013ad00ad1fdefb8e7d9b15

DarkComet

+ 188 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:guest16_min rat trojan

Link:

https://tria.ge/reports/220423-x8yf4aead5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Darkcomet

Malware Config

C2 Extraction:

127.0.0.1:1604

Unpacked files

SH256 hash:

9429ef640e67c9106bf05567d9a68b9600d2a78db68d95c86e38935639d70f4a

MD5 hash:

d4d4a40d88061185f3f89414f7b2fd9a

SHA1 hash:

513f0873487f9d6cd99b90c5371f0c022d31f40d

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/9e62422d-5c33-4224-a845-b1d724a1da55/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9429ef640e67c9106bf05567d9a68b9600d2a78db68d95c86e38935639d70f4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	myGozi Create hunting rule

Rule name:	pdb2 Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/27192fbb-97a1-4440-b508-286290390455

Cape

https://www.capesandbox.com/analysis/266095/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample