MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
SHA3-384 hash: 6c92acdff967b5852d54008cea3bddf0a07c6a465ccd017fa9ab60b52480f6bd2bece641bb38475c737f7159b8c4800b
SHA1 hash: bbc4d5e90346af2ec03f7ec4af33a728108818a3
MD5 hash: 90f1582eb4aa8c5db832919e5e475fc5
humanhash: sweet-twelve-montana-blossom
File name:Payment 831.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:2'157'568 bytes
First seen:2021-04-04 06:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:1qSZ6qrHHgTL9gT8Xo0ncXPjXU8oII0QVJuQT+T5gki5i2K7a27aqJ:hAqrg168YX/o8Q/uQT+FgkE1wGqJ
Threatray 70 similar samples on MalwareBazaar
TLSH 1EA5D0F12276C1C3E1EE8CB11FDE8970B4F239ADD4D8339D60D46B299292794609D2F9
Reporter abuse_ch
Tags:DarkComet exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132061/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Adding an access-denied ACE
Modifying a system executable file
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d58608ea-931c-40da-8603-3217c2af4b5c
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665486
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f/
Threat name:
Win32.Adware.DownloadHelper
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 06:37:06 UTC
AV detection:
13 of 48 (27.08%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnxn37mgvdxeu3tmr3knqk6hrz4v4xyc75pdi7ozlcj2tmareixq._file
Verdict:
malicious
Similar samples:
1152ad4f134a02f655fec1452a7b2485c1ae7993544926050701627e8e00594f
DarkComet
1ba569c631438a0fb356441838ff328835d607e7cdb217cc444923c1ec58337b
DarkComet
36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe
DarkComet
38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6
DarkComet
8e76055823664f0cabcd8fdd17ccdef01f0dcc584346b59d8c0dfbfefa547ab2
DarkComet
997e83ecf17b2ea03da19ee8897457445263f9a6daecc750b6430f952fe0e60c
DarkComet
9e4ef8eeb8d7eeab54ac5d61c175c32c82a9b7f4e6a28b1b776e789edffcfbbb
DarkComet
b99887f1364955d2872bedadab15a15a51429ec8aeb111859d50e24a9fd31342
DarkComet
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
DarkComet
f07c61b593733b1a8d2b35f0667a3d39988917f0ceaa73b474f9a559beddf992
DarkComet
+ 60 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan
Link:
https://tria.ge/reports/210404-8sd2rmtbdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Identifies Wine through registry keys
Uses the VBS compiler for execution
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
11233f44bf062f381ac5a1042c963d96aa46aedb5232f6d4cb67415565f6fa76
MD5 hash:
4ee9dac945f09d3659e6b61f02cb6f92
SHA1 hash:
4ad9cff7b5adfe16e613958ad72a9b83e77aacd3
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/cc4de71c-dac9-4cd4-8ae7-84cb7c58baba/
Parent samples :
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d
SH256 hash:
cc0f5625a41ee2e9ecd4b1c15f4acdcd1f6f464e50b51665bc2c5cb9c26a90e1
MD5 hash:
81f0a94a0425f4d04574b2af9e27bdba
SHA1 hash:
1c178881bd6cf1401b796b0343e132d1124e7e8d
Link:
https://www.unpac.me/results/cc4de71c-dac9-4cd4-8ae7-84cb7c58baba/
SH256 hash:
136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f
MD5 hash:
90f1582eb4aa8c5db832919e5e475fc5
SHA1 hash:
bbc4d5e90346af2ec03f7ec4af33a728108818a3
Link:
https://www.unpac.me/results/cc4de71c-dac9-4cd4-8ae7-84cb7c58baba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 136eddfd86a8ee4a6e6c8ed4d82bc78e795e5f02ff5e347dd95893a9b011222f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132061/

Comments