MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DarkComet


Vendor detections: 10


Intelligence 10 File information Yara 8 Comments

SHA256 hash: e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
SHA3-384 hash: 4ebbe9e20de70ae94a6442dca4ee1d0c3b5ff7d3675bfeaced3f226cea9a70e6f762ee1d1a9b3b3be97567090bd074cc
SHA1 hash: 67c825ca6d8f430fdfc4cbca78c442600db7ccf0
MD5 hash: 800b9d7f3a47c5a18da78cb6a54f90be
humanhash: emma-table-oven-louisiana
File name:Payment Confirmation.exe
Download: download sample
Signature DarkComet
File size:909'312 bytes
First seen:2021-02-23 06:58:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d9b63245519b223a1f7026d72643602b
ssdeep 12288:c1N7GYtRi6Hczy4QufM4zr9H7NH8rxRYAjjUIPg:c7wzyxuU4zZbNM1jUIPg
Threatray 92 similar samples on MalwareBazaar
TLSH AD15C5037AD5FBE6D589D4F024A4C16A16663C3325B05D437ADEAB839B2C1C3ACB9743
Reporter @abuse_ch
Tags:DarkComet exe nVpn RAT


Twitter
@abuse_ch
Malspam distributing DarkComet:

HELO: mail2.vtigress.com
Sending IP: 183.82.99.119
From: Basudeb Pan <test@vtigress.com>
Subject: Payment Acknowledgement Is Attached
Attachment: Payment Confirmation.zip (contains "Payment Confirmation.exe")

Intelligence


File Origin
# of uploads :
1
# of downloads :
53
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DarkComet
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Potential malicious icon found
Uses dynamic DNS services
Yara detected DarkComet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356448 Sample: Payment Confirmation.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 23 martinboss.ddns.net 2->23 29 Potential malicious icon found 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for dropped file 2->33 35 13 other signatures 2->35 8 Payment Confirmation.exe 2 2->8         started        11 cvcvsdf.exe 1 2->11         started        signatures3 process4 file5 21 C:\Users\user\AppData\Roaming\...\cvcvsdf.exe, PE32 8->21 dropped 14 cvcvsdf.exe 1 8->14         started        37 Injects a PE file into a foreign processes 11->37 16 cvcvsdf.exe 1 11->16         started        signatures6 process7 process8 18 cvcvsdf.exe 14->18         started        dnsIp9 25 martinboss.ddns.net 79.134.225.30, 49722, 49725, 49726 FINK-TELECOM-SERVICESCH Switzerland 18->25 27 192.168.2.1 unknown unknown 18->27
Threat name:
Win32.Backdoor.DarkComet
Status:
Malicious
First seen:
2021-02-23 06:59:15 UTC
AV detection:
24 of 47 (51.06%)
Threat level
  5/5
Result
Malware family:
darkcomet
Score:
  10/10
Tags:
family:darkcomet rat trojan upx
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Darkcomet
Unpacked files
SH256 hash:
e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233
MD5 hash:
800b9d7f3a47c5a18da78cb6a54f90be
SHA1 hash:
67c825ca6d8f430fdfc4cbca78c442600db7ccf0
Threat name:
DarkComet
Score:
1.00

Yara Signatures


Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Ping_Del_method_bin_mem
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:RAT_DarkComet
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Description:UPX packed file

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments