MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 17

Intelligence 17 IOCs YARA 19 File information Comments

SHA256 hash:	6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140
SHA3-384 hash:	86e5192b833f5f95da0661a3d3bffeed9740783490842b8363e30e0bba9bdfff4342b0eab99018f37a1c4e07cc43d6ad
SHA1 hash:	97151d20e74a9312d197fc3276817fbe8a57a5ab
MD5 hash:	147c78019832b14a9f4db8335f678677
humanhash:	minnesota-four-bravo-nevada
File name:	ChromeSetup.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	775'168 bytes
First seen:	2026-05-02 12:19:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e5b4359a3773764a372173074ae9b6bd (67 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep	12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxqMd0QZhw:qZ1xuVVjfFoynPaVBUR8f+kN10EBjD0b
Threatray	383 similar samples on MalwareBazaar
TLSH	T1CBF46C31B5808833D92239F89C5A92E5942A7E202E25764B3AF53F4C5E395C3FD162DF
TrID	32.7% (.EXE) Win32 Executable Delphi generic (14182/79/4) 23.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 15.0% (.EXE) Win64 Executable (generic) (6522/11/2) 10.3% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	3339d894cce17123 (4 x DarkComet)
Reporter	Anonymous
Tags:	DarkComet delphi exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

darkcomet

ID:

File name:

ChromeSetup.exe

Verdict:

Malicious activity

Analysis date:

2026-05-02 12:06:05 UTC

Tags:

delphi darkcomet rat

Link:

https://app.any.run/tasks/83248dc0-faec-4313-a356-3e929f806e84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/64290/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm borland_delphi darkcomet darkcomet darkkomet evasive explorer fingerprint keylogger keylogger lolbin packed

Link:

https://www.filescan.io/uploads/69f5ebff2fcb905ec27a2a88/reports/347b5a5c-b3ab-4c0e-b4b0-7ea0ad809380/overview

Verdict:

Malicious

Labled as:

Backdoor.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-02T09:28:00Z UTC

Last seen:

2026-05-04T09:09:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Backdoor.DarkKomet.TCP.C&C Trojan.Win32.Agent.sb Backdoor.Win32.Finlosky.bf Backdoor.Win32.DarkKomet.xyk Backdoor.Win32.DarkKomet.eku Backdoor.Win32.DarkKomet.b Trojan-Spy.Win32.Xegumumune.sbc HEUR:Trojan.Win32.Generic HEUR:Backdoor.Win32.DarkKomet.gen Backdoor.Win32.DarkKomet.diex

Link:

https://opentip.kaspersky.com/6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140/results?tab=lookup

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/23af5bde-d36a-4305-8e81-daa337a81629

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140

Gathering data

Detection:

darkcomet

Link:

https://mwdb.cert.pl/sample/6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140/

Verdict:

Malicious

Threat:

Family.DARKCOMET

Link:

https://tip.neiki.dev/file/6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2026-05-02 12:20:41 UTC

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nyh7wh7euzprgyeeg3csvfg4hhhu2bjnjei26r2cptg5q3rowfaa._file

Verdict:

malicious

Label(s):

darkcomet

DarkComet

a88cfb093e1297165940818f7bb6e8441fb34462c021c525cba8683b8630e566

DarkComet

cf6bac13c5316f2577d4b1e5a6d349ce0cad51b7adef0569dfc891b79abbec95

DarkComet

eafc56e985f24b31dc2f0d09c15497e25feca4e1e792d315648810d4e0fb7b55

DarkComet

error

DarkComet

f8836e32e116906d49910cbe22fed8acaebad1061855d9769c74d82ff2097c70

DarkComet

+ 373 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:guest54 discovery persistence rat trojan

Link:

https://tria.ge/reports/260502-phzmgafs4y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Family: Darkcomet

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

88aa.institute:443
88aa.institute:1604
gofent.za.com:1604
gofent.za.com:443
104.21.90.190:443
172.67.159.202:443
172.64.34.27:443
108.162.195.176:443
104.21.32.10:443
172.67.182.31:443
172.64.34.221:443
172.64.35.111:443

Unpacked files

SH256 hash:

6e0ffb1fe4a65f13608436c52a94dc39cf4d052d4911af47427ccdd86e2eb140

MD5 hash:

147c78019832b14a9f4db8335f678677

SHA1 hash:

97151d20e74a9312d197fc3276817fbe8a57a5ab

Detections:

win_darkcomet_g0

win_darkcomet_a0

win_darkcomet_auto

triage_darkcomet_rat

Link:

https://www.unpac.me/results/448ec325-608c-4a71-a800-d5e35d865547/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	darkcomet_v1 Create hunting rule
Author:	RandomMalware

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_Darkcomet_1df27bcc Create hunting rule
Author:	Elastic Security

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator