MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc
SHA3-384 hash:	3adecbee68de65bd2d167eee9f051d63a36e93e891a297e2568559057c208f9315ad702b1f0e7b5d84eda42b0699ed32
SHA1 hash:	e67af42dcc4922ed90ed57943cfcda2a9e2e989f
MD5 hash:	146f2cec01cb613eb0574122c93b08c4
humanhash:	william-item-five-angel
File name:	inz3svuR.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	775'680 bytes
First seen:	2023-01-10 15:48:09 UTC
Last seen:	2023-01-12 16:50:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6f0fecaae0f40ed3ea31df971b69bcca (1 x njrat, 1 x DarkComet)
ssdeep	12288:YX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/QofO4Vw:Oss2Sm39NNv9wY7tHwbzfIoK6Mo3w
Threatray	276 similar samples on MalwareBazaar
TLSH	T19BF45C31B5808837D97239F89C5A92D598297E202E24794B3AF63F4C5B39283FD152DF
TrID	22.3% (.EXE) Win32 Executable Delphi generic (14182/79/4) 20.6% (.SCR) Windows screen saver (13097/50/3) 16.5% (.EXE) Win64 Executable (generic) (10523/12/4) 15.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 7.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	03838f8b8f8fdb4b (2 x DarkComet)
Reporter	pmelson
Tags:	DarkComet exe

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

darkcomet

ID:

File name:

inz3svuR.exe

Verdict:

Malicious activity

Analysis date:

2023-01-10 15:50:55 UTC

Tags:

darkcomet

Link:

https://app.any.run/tasks/c783a211-73c1-4dfe-a1e9-b0bb3db242c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/351585/

Detection(s):

Win.Trojan.DarkKomet-1

Win.Dropper.Zeus-9820070-0

Win.Trojan.Darkkomet-9857871-0

Win.Malware.Darkkomet-9857872-0

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

Win.Trojan.Darkkomet-6745084-0

Win.Trojan.Vobfus-6875610-0

Win.Trojan.Agent-349803

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Setting a keyboard event handler

DNS request

Enabling the 'hidden' option for analyzed file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm darkcomet explorer.exe fingerprint greyware keylogger rat shell32.dll

Link:

https://www.filescan.io/uploads/63bd88ef06f34cc0fa530ced/reports/56a4b7a4-23da-45f5-9a43-82f7350cbcbb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/270f2743-60a1-4985-9a6f-7ab42def5a0f

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148908

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

darkcomet

Link:

https://mwdb.cert.pl/sample/4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2023-01-10 15:49:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jkoaemndirszeqtg3ncbujnjivhcomzmgyreez4edsepdkvlhhoa._file

Verdict:

malicious

DarkComet

2f3b39e32b302b059b4bf652a4094d8631ce6f7ec8a95a2b1db2d7d1fe29fcde

DarkComet

43b3fa1a455eedfc3a6084046a958b6a41074b92d94ecb5a0262911eab570f86

DarkComet

43bfc71737bff97fad2484a55e501262e2b25a03aac1a200843f3222f3dcc9a4

DarkComet

52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea

DarkComet

5a2ab897c8f8d779118f7e29f018796913274a8e6d7d815955c028bd9a576360

DarkComet

77dddb8e258184f22bbbf1d17a3e9f121528da1cd431ca26c44a870218ee0184

DarkComet

a6184cc11ae5e53a2c52fc668690561b0ed9b7217e0ff7c0b236bce30fba1da3

DarkComet

fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3

DarkComet

+ 266 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:guest16 evasion persistence rat trojan

Link:

https://tria.ge/reports/230110-s9bw9sge72/

Behaviour

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Sets file to hidden

Darkcomet

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

darkcometfirstuser.hopto.org:1604

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/32a795aa-9758-4ece-93e6-323e72a010d9

Unpacked files

SH256 hash:

4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc

MD5 hash:

146f2cec01cb613eb0574122c93b08c4

SHA1 hash:

e67af42dcc4922ed90ed57943cfcda2a9e2e989f

Detections:

win_darkcomet_a0

win_darkcomet_auto

win_darkcomet_g0

Link:

https://www.unpac.me/results/73a8d70c-e500-4915-b9bb-13b610a74c26/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4a9c0231a344/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	Windows_Trojan_Darkcomet_1df27bcc Create hunting rule
Author:	Elastic Security

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator