MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d
SHA3-384 hash:	f1297b31b5d3ea52ed478b7a005e279560e3e734a413a2cd11d39ed3b5eef3b7404f13f22fa205c40b88a704b1068eee
SHA1 hash:	f4e5e0eac5e3179a7281a22f31f0512d67522674
MD5 hash:	9631ecf5da619ba850ff227e4e5e634a
humanhash:	four-july-bakerloo-saturn
File name:	Order Requirement 541.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	3'254'272 bytes
First seen:	2021-02-09 08:28:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:CIimBfYQtfLJTTTfTg7cGkbyTpNKDHq0OJHXDQCxj2UoYpZCBec:VXQQFLJTTTfc7c3eTpNKDHqJ3TuA
Threatray	58 similar samples on MalwareBazaar
TLSH	97E55B91A44531CBC4CE17B88927CD89995E0FF98B2019CBAD6DF47ABE73CC521B6C24
Reporter	abuse_ch
Tags:	DarkComet exe Yahoo

abuse_ch

Malspam distributing DarkComet:

HELO: sonic301-29.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.129.228
From: Kiyasha Amaidas <klyasha27@yahoo.com>
Subject: Purchase Order
Attachment: Order Requirement 541.zip (contains "Order Requirement 541.exe")

DarkComent RAT C2:
chrisle79.ddns.net:3317

Intelligence

File Origin

# of uploads :

# of downloads :

798

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Order Requirement 541.exe

Verdict:

No threats detected

Analysis date:

2021-02-09 08:31:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/59748343-58c7-4d2f-8c4f-f82ca4dd5e50

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/116128/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Adding an access-denied ACE

Launching a process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/602665

Signature

Allocates many large memory junks

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Sample uses process hollowing technique

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-02-09 08:29:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=prj47bri5hidxxsts62be57ojc4wgerlyplo2cqjb3qjbdaeai6q._file

Verdict:

malicious

DarkComet

23b038034753de2b160a1039ad4f724f0cb75d57d0f73af56d592850c82a20cb

DarkComet

2d631fe6c1c02c67198648c5f7ae1891262bf277721f664bd6c8ffb0e7d6a681

DarkComet

37cb831726dc1877ea59cf5618e4fa224368bbd64a7047dec6fb554a6a17d4c2

DarkComet

6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b

DarkComet

758c9e9642b467c181548b07d7d47e32e2e37ce7298e0d89674fdbcbe13eb50e

DarkComet

78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

DarkComet

7c3c41d8da242f6ae707daaf842c0c0afb4ff541e3b009c62e51bc7d93eca86b

DarkComet

a2f0a1d469d73a11c69afc9eb12000fa7f7652305d936a10d12dabce693f878b

DarkComet

b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0

DarkComet

+ 48 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet evasion persistence rat trojan

Link:

https://tria.ge/reports/210209-n9ph2zpe92/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks BIOS information in registry

Identifies Wine through registry keys

Uses the VBS compiler for execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Darkcomet

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

c0b25b0a5e2d95a271c77262bda68915b0f28ccb8f109dd467a14e3d6f4012cb

MD5 hash:

cd5455acfe652d107f112b8031e4a95d

SHA1 hash:

dbaa76943f85ebfdace1c202a4b43d50a9d0370a

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/243da18d-9d89-417a-a491-1b5b655ba42d/

SH256 hash:

ba19d2f60c57075d26cc70f34aa5df471d8f84fa169dc841baf037ab033bdf08

MD5 hash:

677af3215a88501620451b757fe89d5c

SHA1 hash:

855ed02353925eb84b18163c44bb74ba169d0136

Link:

https://www.unpac.me/results/243da18d-9d89-417a-a491-1b5b655ba42d/

SH256 hash:

7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d

MD5 hash:

9631ecf5da619ba850ff227e4e5e634a

SHA1 hash:

f4e5e0eac5e3179a7281a22f31f0512d67522674

Link:

https://www.unpac.me/results/243da18d-9d89-417a-a491-1b5b655ba42d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator