MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6
SHA3-384 hash: 6c926f2336ab01827c574b997535068421c247cac9b500e6d8f0e73a4b53bb92bcc7705d030f2f5695819d094216a1cc
SHA1 hash: 5958963ab0b43905a2d1654f6f2afa944e633186
MD5 hash: 78d1cabb867eb5b30ccab20ae79f1760
humanhash: ceiling-alpha-victor-leopard
File name:Order Requirement 3411.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:3'200'000 bytes
First seen:2021-01-09 17:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:Yl0TDejm0GTTThriLgsfpQAMBR3DErAUuyA+BP:Yl0Gjm0GTTTMLgsfpQAMBR3DE8MTBP
Threatray 43 similar samples on MalwareBazaar
TLSH 2DE56C937906B1CFD48E27748527CD4269AF4FF90B2059CBA858747A7EB3CC512BAC24
Reporter abuse_ch
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
963
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Requirement 3411.exe
Verdict:
No threats detected
Analysis date:
2021-01-09 17:28:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6670f168-437f-4b60-9ac9-cb5af688341e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111131/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577338
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 08:55:15 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pc227ajnh6puvifwzcyyidccufomte4oretpsm6vd3v4eblelwta._file
Verdict:
malicious
Similar samples:
32399283b913a66805becc7cfa8ea66a209d8842c2a128c5105a6db720618f11
DarkComet
36192aaa605b98f67d88d3712e5eb7ddd8e229766bbae3b2efebdb98f19662ea
DarkComet
37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2
DarkComet
51c53576e439424a479865f5b9c19288f4ba48743b513cd3ead582d0cc647187
DarkComet
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c
DarkComet
7c3c41d8da242f6ae707daaf842c0c0afb4ff541e3b009c62e51bc7d93eca86b
DarkComet
a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b
DarkComet
ada1c5359c35e6b70c5a2d5533f9d725f86a1e155c8486bfd2941c9b40478ea2
DarkComet
b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0
DarkComet
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
DarkComet
+ 33 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan
Link:
https://tria.ge/reports/210109-7ka3xb2gc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks BIOS information in registry
Identifies Wine through registry keys
Uses the VBS compiler for execution
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6
MD5 hash:
78d1cabb867eb5b30ccab20ae79f1760
SHA1 hash:
5958963ab0b43905a2d1654f6f2afa944e633186
Link:
https://www.unpac.me/results/a7c7b7bc-e819-4f71-b93b-92495368d2f7/
SH256 hash:
f464c13b1b4a1b3b5e279b90f9245e6bc2b3849f55f54902bc783959d124300c
MD5 hash:
e4e1590da9620266c430dd06d8a0d511
SHA1 hash:
f2f4d2b6c48d5a62e8722c850b6e8ff5b25fbd64
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7c7b7bc-e819-4f71-b93b-92495368d2f7/
SH256 hash:
5c19a576b7ebecd2ba94ee179c3f37088b23a3ac4d6e3f886272e06bb7f7fe41
MD5 hash:
8efeee77768b66113f95ea0d1d3c191c
SHA1 hash:
ad76303643a5e13eeb6b6606beacffc4bee89e85
Link:
https://www.unpac.me/results/a7c7b7bc-e819-4f71-b93b-92495368d2f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:win_darkcomet_a0
Create hunting rule
Author:David Cannings
Description:Strings from the Dark Comet 5.2 stub
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_darkcomet_g0
Create hunting rule
Author:Kevin Breen / Jean-Philippe Teissier / botherder / Florian Roth / David Cannings / Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111131/

Comments