MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee
SHA3-384 hash:	b4306920653b86aa2e791c3f1f485e0d69aba6eb2e5ade58265a6300b35c4e9ee5a84aad5fd9cb08cb904ae5d61b26aa
SHA1 hash:	8e0f7b8c28e04ff2ea0007d4209a484903a3b6ac
MD5 hash:	ed84cf5a66eb0bdfb3f1cbf8327ec679
humanhash:	low-jig-carbon-queen
File name:	c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	1'773'568 bytes
First seen:	2022-03-23 08:05:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep	49152:hiRnDfQLHnSgfpZk631Q4vW8D9QYfQXmEFwnMM46bR:hixoHSApZVe4vD9QXXmEi1xbR
Threatray	196 similar samples on MalwareBazaar
TLSH	T1E885233158849D65D46D78F9420AEEE802282D4B259376C63C35FFE3B272AD3ED5221F
File icon (PE):
dhash icon	811042809246358b (1 x DarkComet)
Reporter	JAMESWT_WT
Tags:	DarkComet exe

Intelligence

File Origin

# of uploads :

# of downloads :

465

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/255441/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Creating a file

Creating a file in the %temp% directory

Creating a process from a recently created file

Setting a keyboard event handler

Modifying a system executable file

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

darkcomet packed remote.exe

Link:

https://www.filescan.io/uploads/623ad4fadfdfa8501cd2106d/reports/dd243162-237d-435c-948a-84404bca4eab/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c4fd932b-3f36-4c88-9271-fa3d8e1306a8

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962760

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2022-03-15 20:57:16 UTC

File Type:

PE (Exe)

Extracted files:

138

AV detection:

41 of 42 (97.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yfb4afmlsa7q27pv2nndxqimtvycntb6n7uwuvyfh4hwakqlftxa._file

Verdict:

malicious

DarkComet

113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d

DarkComet

7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

DarkComet

856bcc47f2c9617ed7e2c5f702dc5cea6713713da600229b2db076d64f24dfdf

DarkComet

8ede23556115292a84dac51f8542b37e33bf621b963791cd77017c3263c31952

DarkComet

c60f851e1c3194fa5d7f6e8a71d9f8d9cad5b78072ec1e764d19345a3f877423

DarkComet

da0a4e16ef4baf46f27e666e9b4547cdf17eafad3caa235df6c29a52d3da8d0a

DarkComet

e8f040869e00b0d4dc00ddc6be5e0aaaaca6a700e16a1825592fc9924fee17e3

DarkComet

+ 186 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet persistence rat trojan upx

Link:

https://tria.ge/reports/220323-jzgkbsedbq/

Behaviour

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

Darkcomet

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

9a0adb59349154c7e3d4099a84256f4e4c0f14726bb996f5f5c810c2a7a6cda0

MD5 hash:

a6e2d27d48377299f09bb9d0a317c9ea

SHA1 hash:

4f1afebfaad70075108f475a3eed381bbf783c58

Detections:

win_darkcomet_g0

Link:

https://www.unpac.me/results/f689ea0f-6b2c-4ca8-a824-6171c114d666/

SH256 hash:

c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee

MD5 hash:

ed84cf5a66eb0bdfb3f1cbf8327ec679

SHA1 hash:

8e0f7b8c28e04ff2ea0007d4209a484903a3b6ac

Detections:

win_darkcomet_g0

Link:

https://www.unpac.me/results/f689ea0f-6b2c-4ca8-a824-6171c114d666/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c143c0158b90/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c143c0158b903f0d7df5d35a3bc10c9d7026cc3e6fe96a57053f0f602a0b2cee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	ProjectM_DarkComet_1 Create hunting rule
Author:	Florian Roth
Description:	Detects ProjectM Malware
Reference:	http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Rule name:	ProjectM_DarkComet_1_RID2E9E Create hunting rule
Author:	Florian Roth
Description:	Detects ProjectM Malware
Reference:	http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255441/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample