MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681
SHA3-384 hash: 459f07d13d692e2f1a66196a80e7ea2f6ad5e283516b989b91734d2d3788deebd159a670210acbde73002d4d334122ba
SHA1 hash: d76adb5de515fbcedb4cae93cf77951c33505a1f
MD5 hash: f0706cd83ed4da6d24a71767ccfd5741
humanhash: yellow-seven-six-five
File name:Order Requirement 341.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:3'213'824 bytes
First seen:2021-01-19 06:40:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:xnKOEQ0hTTTuTOX5DZK2PmNGQsIdZyTgyb3EvTeD:MNTTTxgyTzO
Threatray 44 similar samples on MalwareBazaar
TLSH 77E56C91A40571CFD68E27788527CEC2592D4FB90BB409CBA85D78BA7EB3DC112B9C34
Reporter abuse_ch
Tags:DarkComet exe RAT Yahoo


Avatar
abuse_ch
Malspam distributing DarkComet:

HELO: sonic306-3.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.132.42
From: M.A Industrial Supplier <ma_industrialsuppliers@yahoo.com>
Subject: Payment
Attachment: Order Requirement 341.zip (contains "Order Requirement 341.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
848
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Requirement 341.exe
Verdict:
No threats detected
Analysis date:
2021-01-19 06:42:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03af8f0d-7ec8-403f-af8f-1d7a95a13a80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112732/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584488
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 06:41:06 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvrr7zwbyawgogmgjdc7plqysetcx4txoipwms6wzd73bz6wu2aq._file
Verdict:
malicious
Similar samples:
0fd520fd121041bb2ec206028e1c8f0ba18d4a048d2bcec863b00edcaad39725
DarkComet
2d403f971f502d2423b11dcca6424edc460b6c290cb76107d7f36a37565791e8
DarkComet
32399283b913a66805becc7cfa8ea66a209d8842c2a128c5105a6db720618f11
DarkComet
5c7291c8c0c9aae91453faabe543abd6da50a2600ba74cd9fd1faa18a939cd4b
DarkComet
6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b
DarkComet
758c9e9642b467c181548b07d7d47e32e2e37ce7298e0d89674fdbcbe13eb50e
DarkComet
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6
DarkComet
a95255b520f721b807650a1de5feeefab46054029386cd0ce57c81daa3ac0248
DarkComet
ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
DarkComet
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
DarkComet
+ 34 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan
Link:
https://tria.ge/reports/210119-g4t4akzez2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
5c19a576b7ebecd2ba94ee179c3f37088b23a3ac4d6e3f886272e06bb7f7fe41
MD5 hash:
8efeee77768b66113f95ea0d1d3c191c
SHA1 hash:
ad76303643a5e13eeb6b6606beacffc4bee89e85
Link:
https://www.unpac.me/results/49965fa9-b6b4-4e31-a0b5-d7838a67f87a/
SH256 hash:
f2c1e0b4571d505a5f534622c50c3c1ac4204365c7d7cb676969b1bbc73d0298
MD5 hash:
8f939e296f0f2301d225c434d4845926
SHA1 hash:
572c099ee570620c25adb05143c9f5ebd10e8e5e
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/49965fa9-b6b4-4e31-a0b5-d7838a67f87a/
Parent samples :
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681
SH256 hash:
2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681
MD5 hash:
f0706cd83ed4da6d24a71767ccfd5741
SHA1 hash:
d76adb5de515fbcedb4cae93cf77951c33505a1f
Link:
https://www.unpac.me/results/49965fa9-b6b4-4e31-a0b5-d7838a67f87a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

zip 5ca4c629ded2184d8da691c45bf968b7670383a9dbb2ac3206940bd9b8e5ecd5

DarkComet

Executable exe 2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681

(this sample)

  
Dropped by
MD5 f55a84b1fe38d9cac0922134bd29272f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5ca4c629ded2184d8da691c45bf968b7670383a9dbb2ac3206940bd9b8e5ecd5
Cape
Cape
https://www.capesandbox.com/analysis/112732/

Comments