MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f
SHA3-384 hash:	7019e86c158a289fccc46a20edc50c41db11492e38dcf7d47f61ab9c47d253fe778d1e041fe621267f0def103d541710
SHA1 hash:	1872815154485c5f9af9cc93678bfa0da049d057
MD5 hash:	62a68863c4cc45f3044a82468175e2d8
humanhash:	ten-fruit-mississippi-angel
File name:	Payment 761.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	3'178'496 bytes
First seen:	2021-02-16 06:23:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:CIR1yJ3hqeZvnU7z7WkSYNYIPjtYvo3SUwRip:CJ5XdMz7WkSYNYIrqg1wRi
Threatray	93 similar samples on MalwareBazaar
TLSH	72E56DA2A409B1CBD4CA1B74866BCD416DDD03B84B1C6CCB986CB47E7EA3DC019BDD64
Reporter	abuse_ch
Tags:	DarkComet exe RAT Yahoo

abuse_ch

Malspam distributing DarkComet:

HELO: sonic306-3.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.132.42
From: williamsgreens79@yahoo.com <williamsgreens79@yahoo.com>
Subject: Payment
Attachment: Payment 761.zip (contains "Payment 761.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

804

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/117287/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

DNS request

Sending a TCP request to an infection source

Enabling autorun

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/608618

Signature

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f/

Threat name:

Win32.Packed.Themida

Status:

Malicious

First seen:

2021-02-16 06:24:09 UTC

AV detection:

15 of 47 (31.91%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bgemqvesinywp5oo6pmyy4ytvrgblsu4oznysjq7vudcfp3bmixq._file

Verdict:

malicious

DarkComet

2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681

DarkComet

30e374185ded5944c1ff0b2150cdaf2af9decb76a41089351cd21db2c3d1afae

DarkComet

49771de8bcea44c22d54d1eebc9f05ff0d33f66355fbf9dd77e7e891cd062bcc

DarkComet

78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

DarkComet

9986d7d421e26cce5a64a65a7f72b757043cbe7dfe2dd0b32f66d25203922415

DarkComet

a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b

DarkComet

a95255b520f721b807650a1de5feeefab46054029386cd0ce57c81daa3ac0248

DarkComet

ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2

DarkComet

b0c5153cf37bc26d5845c41dd969822cfc272186c49f0b447060259787bf024a

DarkComet

+ 83 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet evasion persistence rat trojan

Link:

https://tria.ge/reports/210216-trby2w69hn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks BIOS information in registry

Identifies Wine through registry keys

Uses the VBS compiler for execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Darkcomet

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

d107f6b17c81ade79b5f86434727bc768aec244b9452146928b4b7537abba2ba

MD5 hash:

e0283afa6e7187d951d9421185d58120

SHA1 hash:

dc334591300815f900cf65a422369cadb66aa325

Link:

https://www.unpac.me/results/d142f51c-87b1-45e7-b8b6-13beade81ded/

SH256 hash:

176a6a1985b864d02da7dd87f7664cd2f8d501d6f9830aae76d45d1504cd7eb2

MD5 hash:

df37215be791e2a1362f28d3f51b7a81

SHA1 hash:

d87b2b7424e3514c1848d1a36f7b1c894b28f182

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/d142f51c-87b1-45e7-b8b6-13beade81ded/

SH256 hash:

0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f

MD5 hash:

62a68863c4cc45f3044a82468175e2d8

SHA1 hash:

1872815154485c5f9af9cc93678bfa0da049d057

Link:

https://www.unpac.me/results/d142f51c-87b1-45e7-b8b6-13beade81ded/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0988c85492437167f5cef3d98c7313ac4c15ca9c765b89261fad0622bf61622f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator