MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19
SHA3-384 hash: 0b73f4506782edfb5608e3e19893a593e619fcb9f56a30fe666add83b75ff6d141fbf857888e33d5325e7b21fb747fb0
SHA1 hash: aa761d0d9095449da2cf01dc535f44ab4b32f03b
MD5 hash: 3a94a458ab6aa725826bb99bbb60f198
humanhash: mars-coffee-hydrogen-berlin
File name:Request for Quotation.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:1'609'728 bytes
First seen:2023-05-19 12:33:13 UTC
Last seen:2023-05-20 15:23:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:7P0wUfbkbga0csbL0rqkkhM18j2FLlxyWFW:wwUZr0rqkkq9W
Threatray 820 similar samples on MalwareBazaar
TLSH T10C75129018A48821E2EB9FB446B3F23893756D92D763834914E02CA77D77ED73E06787
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon e869f1f070f03054 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter threatcat_ch
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 12:33:57 UTC
Tags:
snake keylogger trojan evasion
Link:
https://app.any.run/tasks/e124ae9f-6444-4145-852e-8d4ca52c7a84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8730.32165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64676cba6afc92605683ddaa/reports/7a7fe194-256e-4ced-b85f-37c2168a89d2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0408cb36-90a7-4b4b-8403-e9dad70d801d
Result
Threat name:
Snake Keylogger, StormKitty
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237218
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870401 Sample: Request_for_Quotation.exe Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 18 other signatures 2->91 9 Request_for_Quotation.exe 3 2->9         started        12 Synaptics.exe 2->12         started        14 EXCEL.EXE 2->14         started        process3 file4 61 C:\Users\...\Request_for_Quotation.exe.log, ASCII 9->61 dropped 16 Request_for_Quotation.exe 1 5 9->16         started        19 Synaptics.exe 12->19         started        21 Synaptics.exe 12->21         started        process5 file6 45 C:\...\._cache_Request_for_Quotation.exe, PE32 16->45 dropped 47 C:\ProgramData\Synaptics\Synaptics.exe, PE32 16->47 dropped 49 C:\...\Synaptics.exe:Zone.Identifier, ASCII 16->49 dropped 23 Synaptics.exe 3 16->23         started        26 ._cache_Request_for_Quotation.exe 14 2 16->26         started        51 C:\ProgramData\...\._cache_Synaptics.exe, PE32 19->51 dropped 29 ._cache_Synaptics.exe 19->29         started        process7 dnsIp8 93 Multi AV Scanner detection for dropped file 23->93 95 Drops PE files to the document folder of the user 23->95 97 Machine Learning detection for dropped file 23->97 31 Synaptics.exe 39 23->31         started        35 Synaptics.exe 23->35         started        37 Synaptics.exe 23->37         started        69 checkip.dyndns.com 132.226.8.169, 49692, 80 UTMEMUS United States 26->69 71 checkip.dyndns.org 26->71 77 2 other IPs or domains 26->77 73 193.122.6.168, 49718, 80 ORACLE-BMC-31898US United States 29->73 75 checkip.dyndns.org 29->75 99 Antivirus detection for dropped file 29->99 101 May check the online IP address of the machine 29->101 103 Tries to steal Mail credentials (via file / registry access) 29->103 105 Tries to harvest and steal browser information (history, passwords, etc) 29->105 signatures9 process10 dnsIp11 79 freedns.afraid.org 174.128.246.100, 49701, 80 ST-BGPUS United States 31->79 81 docs.google.com 172.217.168.78, 443, 49698, 49699 GOOGLEUS United States 31->81 83 xred.mooo.com 31->83 53 C:\Users\user\DocumentsIVQSAOTAQ\~$cache1, PE32 31->53 dropped 55 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 31->55 dropped 57 C:\Users\user\AppData\Local\...\RCX1BAD.tmp, PE32 31->57 dropped 59 4 other malicious files 31->59 dropped 39 ._cache_Synaptics.exe 31->39         started        43 WerFault.exe 31->43         started        file12 process13 dnsIp14 63 132.226.247.73, 49696, 80 UTMEMUS United States 39->63 65 checkip.dyndns.org 39->65 67 2 other IPs or domains 39->67 107 Antivirus detection for dropped file 39->107 109 Multi AV Scanner detection for dropped file 39->109 111 May check the online IP address of the machine 39->111 113 2 other signatures 39->113 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-05-19 04:26:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dhwsnaqznrrmgxp24keems6gehrfdjvdenzbnelepgupzudo7imq._file
Verdict:
malicious
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
DarkComet
069d0eb7f3e3d5bda86b1b2782d6a0cbf16da50a28b2738c0e91252a3ed34eba
DarkComet
4969ef4af9004baaf340293cb7b7a4b46289d2648105c840997a961b19f7d846
DarkComet
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
DarkComet
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
DarkComet
6ae9300941c5572a3eec4d9b891e405318fd5595395c9251fe6baab66fa6700e
DarkComet
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
DarkComet
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
DarkComet
caac1ca43926e89b75c3a5f17be13f381c421730cafaca62c7d1d2a6fd2deeff
DarkComet
e09eaaa707261756f322c8d5b12af0a09c575ffbdd7bf19b895cab4982b7f68a
DarkComet
+ 810 additional samples on MalwareBazaar
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:stormkitty collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230519-prryzsgf5v/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot6136035762:AAGQJoq5AjGzrqugWANFmU6RNEkZGCAv7SE/sendMessage?chat_id=805410216
Unpacked files
SH256 hash:
0244c8dd426d9e0a2c76bfeefa205d00e547eac2d108216a8523daa12511da0a
MD5 hash:
3eb40899263a30d33a558ccc5b14ca4a
SHA1 hash:
83fba92335f30eb86f4c7841adab06c8a30dd708
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
SH256 hash:
30170eae75385a83534c28feb5a8418146df5854f4906c029d60ebde06de01dd
MD5 hash:
a327a6c350399d65c4104dfd0280f279
SHA1 hash:
f8b5accf2f999a4d3f2e296ab638df824718339d
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
SH256 hash:
6ae9300941c5572a3eec4d9b891e405318fd5595395c9251fe6baab66fa6700e
MD5 hash:
76a47e3134c92fd51c15fe4aec539e91
SHA1 hash:
d0dfe23ac98b4224129b7fe2f57f34328fb1e25c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
Parent samples :
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
6ae9300941c5572a3eec4d9b891e405318fd5595395c9251fe6baab66fa6700e
4969ef4af9004baaf340293cb7b7a4b46289d2648105c840997a961b19f7d846
19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19
ee40d36750eae21bca0d894d54cdcacf61f1b14a3224afa4d6ed9284ea941b47
SH256 hash:
a157b66148722c2f558b4946c120ccca8681cf2c5d51f43483732e3ec7c561e0
MD5 hash:
02adb9722a0565227fd2f5d9e2203559
SHA1 hash:
cf9183c13f677f2effbd839498c292d165bec57c
Detections:
snake_keylogger
Create hunting rule
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
Parent samples :
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
4969ef4af9004baaf340293cb7b7a4b46289d2648105c840997a961b19f7d846
a157b66148722c2f558b4946c120ccca8681cf2c5d51f43483732e3ec7c561e0
19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19
ee40d36750eae21bca0d894d54cdcacf61f1b14a3224afa4d6ed9284ea941b47
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
edb9730b1a6e9c5a2f3009897e5f5643e99edfec36ea52bd254daa4452249818
MD5 hash:
63d8ecb7623c142b332fe629ea14aa65
SHA1 hash:
766032c6c86d6225fe86e676c6fbdf7883a92b30
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
SH256 hash:
19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19
MD5 hash:
3a94a458ab6aa725826bb99bbb60f198
SHA1 hash:
aa761d0d9095449da2cf01dc535f44ab4b32f03b
Link:
https://www.unpac.me/results/361f43af-0946-4bc6-9ebc-1efdf35cd4da/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/19ed2682196c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 19ed2682196c62c35dfae288464bc621e251a6a3237216916479a8fcd06efa19

(this sample)

  
Dropped by
DarkComet
  
Delivery method
Distributed via e-mail attachment

Comments