MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
SHA3-384 hash: b8a91d296571ce6bdcff8128ea31d5a459dc32b1b23ba1a56d6c2245dc35e99fc6311f30889e45293c9f56bdf12dc9a1
SHA1 hash: a68034b6084112066cc02565dd519a23757c1b15
MD5 hash: 1d9b720db2f4e23c3502f1456f09b927
humanhash: london-east-king-fish
File name:5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
Download: download sample
Signature DarkComet
Create hunting rule
File size:675'328 bytes
First seen:2021-09-21 08:36:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5b4359a3773764a372173074ae9b6bd (60 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep 12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hG:+Z1xuVVjfFoynPaVBUR8f+kN10EBA
Threatray 157 similar samples on MalwareBazaar
TLSH T1DDE48E31F1808837D93219789C5F92E6982A7E202E39754B3AE62F4C5F3D6C239193D7
Reporter JAMESWT_WT
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
877
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
Verdict:
Suspicious activity
Analysis date:
2021-09-21 09:14:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ec2924e-b672-4bd6-8955-d791659fdcaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189797/
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Trojan.Barys-9799359-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78b7468d-ec2b-40bc-b184-cd4bbf2c3e90
Result
Threat name:
Darkcomet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854748
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Darkcomet RAT
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Disables windows user account control
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487181 Sample: 6JWwpk95Vc Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 4 other signatures 2->51 9 6JWwpk95Vc.exe 1 4 2->9         started        13 msdcsc.exe 2->13         started        15 msdcsc.exe 2->15         started        process3 file4 39 C:\Windows\MSDCSC\msdcsc.exe, PE32 9->39 dropped 41 C:\Windows\...\msdcsc.exe:Zone.Identifier, ASCII 9->41 dropped 63 Detected Darkcomet RAT 9->63 65 Creates an undocumented autostart registry key 9->65 67 Drops executables to the windows directory (C:\Windows) and starts them 9->67 69 Creates an autostart registry key pointing to binary in C:\Windows 9->69 17 msdcsc.exe 6 2 9->17         started        21 cmd.exe 1 9->21         started        23 cmd.exe 1 9->23         started        signatures5 process6 dnsIp7 43 8.tcp.ngrok.io 3.19.130.43, 13738, 49744 AMAZON-02US United States 17->43 53 Antivirus detection for dropped file 17->53 55 Multi AV Scanner detection for dropped file 17->55 57 Changes security center settings (notifications, updates, antivirus, firewall) 17->57 61 10 other signatures 17->61 25 notepad.exe 17->25         started        59 Uses cmd line tools excessively to alter registry or file data 21->59 27 attrib.exe 1 21->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 attrib.exe 1 23->33         started        signatures8 process9 process10 35 MpCmdRun.exe 1 27->35         started        process11 37 conhost.exe 35->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:17:44 UTC
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lioi54k4ztkqbawgqyxr36h4zram7j5zjz3rbsvpmb2ry4kmnsyq._file
Verdict:
malicious
Similar samples:
04c164391efcedd93b5c04dc137e8b80336265246fa15318a67d4b2d20bf257f
DarkComet
5daf38ba7d08872375f14a3d8de794d20aa37e1caeda4da0558e2a9cd4ed668a
DarkComet
844fdc307207e49c308561468f99e2255b4c2759370e1c3b13919db926630d41
DarkComet
b13b73296a76348fa21f9d6120e93b0e6788dd1e0ffe245c23313384db089fd6
DarkComet
eadb655f8e92bf218894b479082dc74e0fce5a44cef4d74a6c3cf51c1773e4e3
DarkComet
f39cf76bea672912a70974a84cf6ce37188014dc1013ad00ad1fdefb8e7d9b15
DarkComet
f696bb0ca1c8c2d9fc4a65cacafd614945e657c262926d34f18dfe4a958ced7d
DarkComet
+ 147 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:sazan evasion persistence rat trojan
Link:
https://tria.ge/reports/210921-kh5q9sbegl/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Windows security modification
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Modifies firewall policy service
Modifies security service
Windows security bypass
Malware Config
C2 Extraction:
8.tcp.ngrok.io:13738
Unpacked files
SH256 hash:
5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1
MD5 hash:
1d9b720db2f4e23c3502f1456f09b927
SHA1 hash:
a68034b6084112066cc02565dd519a23757c1b15
Detections:
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/22dbfa13-94f6-48bd-9db3-624c4b06c652/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a1c8ef15cccd50082c6862f1df8fccc40cfa7b94e7710caaf60751c714c6cb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189797/

Comments