MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0
SHA3-384 hash: 99e635dc5d1d145a2d07654a01dd4fd2c301d8ec05f193619c6c099245ceddc230fad3b5f7c1b491e15b4fc8f38d3158
SHA1 hash: ecd35fc7cebedd8017cbd2563dacc98171c8d9f3
MD5 hash: 74a0ed2afef62f8ef0db7a7efcd8501a
humanhash: princess-pip-thirteen-oranges
File name:555-999-6780000000000000008-8888-999-1111-2220.scr
Download: download sample
Signature DarkComet
Create hunting rule
File size:1'032'192 bytes
First seen:2022-09-13 06:21:03 UTC
Last seen:2022-09-13 06:55:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:KV0hlKn5rjbbMwt+gG3aBO04LuP0bU7myvZd:KV0c5rnbMSBOqR79
Threatray 4'464 similar samples on MalwareBazaar
TLSH T14325027F381BAE1ED1A28F7F05F138B8E59B48097C4C6D05F4749D06687D822CB1DA89
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cbc1a6ceded6c1c8 (2 x SnakeKeylogger, 1 x DarkComet)
Reporter lowmal3
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
555-999-6780000000000000008-8888-999-1111-2220.scr
Verdict:
Malicious activity
Analysis date:
2022-09-13 06:38:53 UTC
Tags:
evasion trojan snake
Link:
https://app.any.run/tasks/d2726194-811f-40b7-9032-ab86a3e40936

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/309610/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.27531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632021dad06d9bc4c7c13536/reports/c861af8d-7a96-490d-a9dc-bf4f103cafba/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d95e7f26-7cb6-4d2a-ad02-1a277025a353
Result
Threat name:
AsyncRAT, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069251
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AsyncRAT
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701781 Sample: 555-999-6780000000000000008... Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 11 other signatures 2->68 9 555-999-6780000000000000008-8888-999-1111-2220.scr.exe 1 7 2->9         started        13 Pbkcroth.exe 3 2->13         started        15 Pbkcroth.exe 2->15         started        17 Synaptics.exe 2->17         started        process3 file4 52 C:\Users\user\AppData\...\Pbkcroth.exe, PE32 9->52 dropped 54 C:\Users\...\Pbkcroth.exe:Zone.Identifier, ASCII 9->54 dropped 56 555-999-6780000000...11-2220.scr.exe.log, ASCII 9->56 dropped 70 Encrypted powershell cmdline option found 9->70 72 Injects a PE file into a foreign processes 9->72 19 555-999-6780000000000000008-8888-999-1111-2220.scr.exe 1 5 9->19         started        22 powershell.exe 16 9->22         started        24 555-999-6780000000000000008-8888-999-1111-2220.scr.exe 9->24         started        74 Antivirus detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 26 powershell.exe 13->26         started        28 powershell.exe 15->28         started        signatures5 process6 file7 46 ._cache_555-999-67...9-1111-2220.scr.exe, PE32 19->46 dropped 48 C:\ProgramData\Synaptics\Synaptics.exe, PE32 19->48 dropped 50 C:\...\Synaptics.exe:Zone.Identifier, ASCII 19->50 dropped 30 ._cache_555-999-6780000000000000008-8888-999-1111-2220.scr.exe 15 2 19->30         started        34 Synaptics.exe 3 19->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        process8 dnsIp9 58 checkip.dyndns.com 132.226.247.73, 49738, 80 UTMEMUS United States 30->58 60 checkip.dyndns.org 30->60 78 Antivirus detection for dropped file 30->78 80 May check the online IP address of the machine 30->80 82 Tries to steal Mail credentials (via file / registry access) 30->82 88 2 other signatures 30->88 84 Machine Learning detection for dropped file 34->84 86 Encrypted powershell cmdline option found 34->86 42 powershell.exe 34->42         started        signatures10 process11 process12 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0/
Threat name:
ByteCode-MSIL.Trojan.APost
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 06:22:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anu2vgoxghjn4jqlyy5wyt4f3gl6wgerkxbwfx2hrwhvv6vgkwya._file
Verdict:
malicious
Similar samples:
2411d42daf12a01f127bd3bd9df51b1de96435ac11e0a44dee28e174e3c4bd65
DarkComet
4120f6c802618447ffaf9e7ecbf4a234bb031602e601418be74eacadd90accd0
DarkComet
458787a4edcc3d5b67ad7cbe721addd3879872d25c90f9399984e02a9038b9c1
DarkComet
5ff2763a7af9c5e8d274be89a3df9e75d9a0b281878def38c44085395178f01e
DarkComet
6b99b3a146c21a844705bd2c824a03a63d77163b50c22fcfabc6df9a7a0fe2ca
DarkComet
7110059a2bb0e2b4e6ee39ff235c283864152200d0daca4fb123f3b7c7315095
DarkComet
addaf10bbef45a2bb941b2b984ecb26656e4554bbd7adc2baf6e14451b296918
DarkComet
cf3d069794498e9ee621651afdc6823dd2b076789af668f296f7ff9a233d1c3d
DarkComet
f954f5ad26b3efdfe4607fa4b0ff25fb82f7284490b283e2fda53b911e88094e
DarkComet
+ 4'454 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/220913-g4dccseha7/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5335728373:AAE0XSYzSQbblHhLHkfzUBSGGlJlBP1LGLA/sendMessage?chat_id=5563565662
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b8c111f0-91c5-4fb0-aa95-30dea09f1386
Unpacked files
SH256 hash:
7d8e33f08e58b2263d9a2ed8334680f755e4fa04f5de1a01d81a60b445084a51
MD5 hash:
786aa6f5a7d970aa36e37699c062d4ca
SHA1 hash:
cdcf9ca6ea05cd069549f22c0f6c5b24df7e4002
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
SH256 hash:
efd94e585c0d2a3d4783df7461c558d2d216c287c3901bb63627f9ccdf3c594a
MD5 hash:
1768123388a4c8a00e2168885f191ffa
SHA1 hash:
f7787f4ca2cfa71599f4ede22ca754fbcd1e5a3a
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
SH256 hash:
6f2118adbc39fa34e89c6fd85460707a72735f35ee2c115a5116c815fcf71add
MD5 hash:
6a9dfa4493fd0c219e81e09eb6df031e
SHA1 hash:
b3b27296d3b455cdf092256741729cd6e9995edc
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
SH256 hash:
f5913f0a24c30c3ec43682cdb19676a283bdd4b2bbfb15493b1178447cf31786
MD5 hash:
2e9840dd26611dfb8830bab125e8a269
SHA1 hash:
66f29dd66213dedbd875b50548ef2c462d388d2a
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
SH256 hash:
0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0
MD5 hash:
74a0ed2afef62f8ef0db7a7efcd8501a
SHA1 hash:
ecd35fc7cebedd8017cbd2563dacc98171c8d9f3
Link:
https://www.unpac.me/results/75718f3f-6eac-4951-8119-37bd79a48cd1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/309610/

Comments