MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
SHA3-384 hash: 94678f26174b6c2490d984469f7c065cf73c49e62accbdca417cd53366b044e2014589814ff84ec9ca61ca44936dcc21
SHA1 hash: a8edf5b28e5a3eb7dcdbe3434646106a30f73d95
MD5 hash: 93e2cad0b30456d7bc1a30cad72735a7
humanhash: robert-fruit-queen-hydrogen
File name:Order02222027.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:434'403 bytes
First seen:2022-10-10 06:11:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:RNmxmSL+GZpDS0yFGuXsLgrmkc4RydnLLPvd:RNmxmuZptQGuNjcOcd
Threatray 2'141 similar samples on MalwareBazaar
TLSH T1379423201EBAD59BE53393B79D7F0A63FFAEF522131DE15303002B7A3952690E518B91
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318142/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42142/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343b7b37a6f3f03619d976e/reports/45e4fcc2-9c64-4ce0-9228-df6a54314cb8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f5966c1-516c-4cc3-8287-3ae1c8937965
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086694
Signature
Antivirus detection for dropped file
Drops PE files to the user root directory
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719251 Sample: Order02222027.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected DarkCloud 2->49 51 4 other signatures 2->51 7 Order02222027.exe 18 2->7         started        process3 file4 25 C:\Users\user\AppData\...\rcqjxnaohq.exe, PE32 7->25 dropped 10 rcqjxnaohq.exe 5 7->10         started        process5 file6 27 C:\Users\user\AppData\Local\Temp\DFF7.tmp, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\Temp\D7C9.tmp, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\Temp\CDD5.tmp, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\Temp\C78A.tmp, PE32 10->33 dropped 53 Antivirus detection for dropped file 10->53 55 Multi AV Scanner detection for dropped file 10->55 57 May check the online IP address of the machine 10->57 59 4 other signatures 10->59 14 rcqjxnaohq.exe 1 27 10->14         started        19 rcqjxnaohq.exe 1 10->19         started        21 conhost.exe 10->21         started        23 2 other processes 10->23 signatures7 process8 dnsIp9 37 smtp.levcek.si 185.148.72.230, 49703, 587 S-AND-T-SLOVENIA-ASSI Slovenia 14->37 39 showip.net 162.55.60.2, 49700, 80 ACPCA United States 14->39 35 C:\Users\Public\vbsqlite3.dll, PE32 14->35 dropped 41 Tries to harvest and steal browser information (history, passwords, etc) 14->41 43 Tries to steal Crypto Currency Wallets 14->43 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 11:46:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwlj4i2jfme367twcwiespobnflqylcnm2zauur6edvjepjlmbya._file
Verdict:
malicious
Similar samples:
231ba68aed77233685a7431ba8b1df348d0dc71860f41c7d43a5f6f486a1c66d
DarkComet
2a85650070bb8a38e31bd9fe5fd4626364bdb6cef093025e4fe814fc18391685
DarkComet
709d1d9f1e0485cca2cdad3fe16fa9992a2dd07b2310a98dc65066530d4033fe
DarkComet
796b93e1306888ffa8b48c29ff68dee8f6bb7d1fb0b96beb0ba3fd3b3d0f801d
DarkComet
8662c5563163a4bfd38e68eee91831b3c07e30c022ec54bc58c381c53bb1f679
DarkComet
9019f864f67c5bc5b4ddf02e65d4aebf7a959b629cc81810e673d45358869fce
DarkComet
c512faa4840c22633e33fa04de7c23ff972c97147ce9599de5c9d2326f01a589
DarkComet
e777f7a314ce728ab3efbfd598177eba4ddcbb06478c3773a920f64efd3ee19d
DarkComet
+ 2'131 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221010-gx6qbsagc8/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ba4f810-de3c-4ec9-b2ee-978143e0f081
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/7b50157c-5a1f-41f0-af9d-79381b3c0311/
SH256 hash:
3cd6d406c81259f79559650e26d91d1612fccb91beae8f71cb17e5728460bd5a
MD5 hash:
75585c5c0583deb75c3291d3cfc33080
SHA1 hash:
cfbff2791a4eccd64c12b3a46124851e2c5d7eb8
Link:
https://www.unpac.me/results/7b50157c-5a1f-41f0-af9d-79381b3c0311/
SH256 hash:
1754030bca37d68e602b6162ed8c3c9ec6413370a4223f7ecdd9832af934dcd4
MD5 hash:
bf7682b774781c70707ec445c8b45600
SHA1 hash:
577a324305d6c6bf4cc180acf397104988459468
Link:
https://www.unpac.me/results/7b50157c-5a1f-41f0-af9d-79381b3c0311/
SH256 hash:
8236620fb2a87be0eed5651400288231a921b0e59ef48a06eb5ba6f3d18bdd9b
MD5 hash:
5d3ebedd75b8998a938845d019d18d8e
SHA1 hash:
1733db3641d976782657a6517e52f5467642bba9
Link:
https://www.unpac.me/results/7b50157c-5a1f-41f0-af9d-79381b3c0311/
SH256 hash:
45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070
MD5 hash:
93e2cad0b30456d7bc1a30cad72735a7
SHA1 hash:
a8edf5b28e5a3eb7dcdbe3434646106a30f73d95
Link:
https://www.unpac.me/results/7b50157c-5a1f-41f0-af9d-79381b3c0311/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 45969e23492b09bf7e761590493dc169570c2c4d66b20a523e20ea923d2b6070

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318142/

Comments