MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b
SHA3-384 hash: f46851840a76553a2eb12394b570dbc6d36ffd7dd2df1e36398bdc8256716472f89416b136a6d63ec821b26d287618d9
SHA1 hash: dbfe47ed7e9842b0a9014c11b7146c38963882c5
MD5 hash: 3b6f11e1bfcb6137f555399ce5e5fec6
humanhash: edward-florida-louisiana-fix
File name:f.bin
Download: download sample
Signature DarkComet
Create hunting rule
File size:674'304 bytes
First seen:2021-01-08 06:54:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5b4359a3773764a372173074ae9b6bd (60 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep 12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2T:KZ1xuVVjfFoynPaVBUR8f+kN10EBsT
Threatray 89 similar samples on MalwareBazaar
TLSH BBE48E31F1808837D97219789C5F92E6982A7E202E39754B3AE62F4C5F3D6C239193D7
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f.exe
Verdict:
Malicious activity
Analysis date:
2021-01-08 06:19:27 UTC
Tags:
trojan rat darkcomet
Link:
https://app.any.run/tasks/827ed25a-53e8-4295-9c7b-ffdefc480c88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110907/
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Trojan.Barys-9799359-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Dealply-6888238-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for analyzed file
Creating a process from a recently created file
Setting a keyboard event handler
DNS request
Modifying a system file
Searching for the window
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Darkcomet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576399
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected Darkcomet RAT
Drops PE files to the document folder of the user
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337251 Sample: f.bin Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 40 g.msn.com 2->40 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 4 other signatures 2->56 8 f.exe 1 4 2->8         started        12 msdcsc.exe 2->12         started        14 msdcsc.exe 2->14         started        signatures3 process4 file5 34 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 8->34 dropped 36 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 8->36 dropped 58 Detected Darkcomet RAT 8->58 60 Contains functionality to log keystrokes 8->60 62 Drops PE files to the document folder of the user 8->62 64 5 other signatures 8->64 16 msdcsc.exe 1 3 8->16         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        signatures6 process7 dnsIp8 38 ImagineTyingToGetMyIp-31268.portmap.host 193.161.193.99, 31268, 49723 BITREE-ASRU Russian Federation 16->38 42 Antivirus detection for dropped file 16->42 44 Detected Darkcomet RAT 16->44 46 Contains functionality to log keystrokes 16->46 48 8 other signatures 16->48 24 notepad.exe 16->24         started        26 conhost.exe 20->26         started        28 attrib.exe 1 20->28         started        30 conhost.exe 22->30         started        32 attrib.exe 1 22->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 06:55:09 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
44 of 46 (95.65%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
DarkComet
04ecc8a39bb1236fb737256d4438f3781141a95d8d55576bd1a7e17a0c8b5aa0
DarkComet
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
DarkComet
4cd80b1158f28fc2c53e2f84e5ae119bf54cc2507a8d649e649f2cc6458bf2de
DarkComet
4ddb173a67ca5a5ccce340d40afcbfae4bc7d929ab41c07a6972269c6c71348b
DarkComet
52363e55c329e7a7811cf4d16f659550d8b04643b3a5de3938a011d65b1cb8a0
DarkComet
967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d
DarkComet
9d8f404a77df431743b649f88642c7dd724c136eec43c94a55cfbb0f41d645c8
DarkComet
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
DarkComet
e3d039ff4df80a16aec37b13d85f4e75703de36b19694e3a70bae79b2eb46cc5
DarkComet
+ 79 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan
Link:
https://tria.ge/reports/210108-rl53n3fa7e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies registry class
Adds Run key to start application
Loads dropped DLL
Windows security modification
Checks computer location settings
Executes dropped EXE
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Windows security bypass
Unpacked files
SH256 hash:
1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b
MD5 hash:
3b6f11e1bfcb6137f555399ce5e5fec6
SHA1 hash:
dbfe47ed7e9842b0a9014c11b7146c38963882c5
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/a3102c91-640d-4d29-bffc-a8c39d6713cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110907/

Comments