MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898
SHA3-384 hash: f321598aa77620fbd59450fe2ed88cc978c3fb045c800f444c0ea0e5a683b0761f913057dfae53a97a068161d04a2688
SHA1 hash: 5b2d1a94bc6dd99d118d57b3dc5f95632b4e0da4
MD5 hash: 19a746b898deaa130c14968ba78cbc95
humanhash: utah-green-quiet-stream
File name:S500RAT.bin
Download: download sample
Signature DarkComet
Create hunting rule
File size:5'728'256 bytes
First seen:2022-07-16 11:36:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (83 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 98304:rnsmtk2aPnrHztkv8r41Ndr5FCAAa0PqmqQhNTBA+OTLzrxCrh:TLQrJkv/3kdqmqmjA+OJ+h
Threatray 71 similar samples on MalwareBazaar
TLSH T1B3466E751148E20DC9BDADB7CDF6C4A5B9FFA0C220149CAB91B348578976D3734388EA
TrID 92.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) Win64 Executable (generic) (10523/12/4)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 204cb27169b21428 (1 x njrat, 1 x DarkComet)
Reporter KdssSupport
Tags:DarkComet exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
562
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
S500RAT.exe
Verdict:
Malicious activity
Analysis date:
2022-07-16 07:36:42 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/6db8ae7f-e7b5-4c19-887e-ab52f892883a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291198/
Detection(s):
PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a UDP request
Launching a process
Sending a custom TCP request
Creating a process with a hidden window
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Enabling autorun by creating a file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/137f137a-d341-45a0-8260-29658e8deef6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1033685
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 666179 Sample: S500RAT.exe Startdate: 16/07/2022 Architecture: WINDOWS Score: 100 99 Snort IDS alert for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for URL or domain 2->103 105 13 other signatures 2->105 9 S500RAT.exe 1 6 2->9         started        12 srvhost.exe 2->12         started        15 srvhost.exe 2->15         started        17 2 other processes 2->17 process3 file4 79 C:\Users\user\Desktop\._cache_S500RAT.exe, PE32 9->79 dropped 81 C:\ProgramData\Synaptics\Synaptics.exe, PE32 9->81 dropped 83 C:\ProgramData\Synaptics\RCX498C.tmp, PE32 9->83 dropped 85 C:\...\Synaptics.exe:Zone.Identifier, ASCII 9->85 dropped 19 ._cache_S500RAT.exe 8 9->19         started        23 Synaptics.exe 122 9->23         started        119 Antivirus detection for dropped file 12->119 121 Machine Learning detection for dropped file 12->121 26 schtasks.exe 12->26         started        28 schtasks.exe 15->28         started        signatures5 process6 dnsIp7 69 C:\Users\user\AppData\Roaming\svhost.exe, PE32 19->69 dropped 71 C:\Users\user\AppData\Roaming\srvhost.exe, PE32 19->71 dropped 73 C:\Users\user\AppData\...\WindowsDefend.exe, PE32 19->73 dropped 77 4 other malicious files 19->77 dropped 107 Antivirus detection for dropped file 19->107 109 Detected unpacking (overwrites its own PE header) 19->109 111 Machine Learning detection for dropped file 19->111 30 srvhost.exe 3 19->30         started        33 svhost.exe 14 3 19->33         started        36 WindowsDefend.exe 19->36         started        46 3 other processes 19->46 93 docs.google.com 142.250.184.238, 443, 49771, 49772 GOOGLEUS United States 23->93 95 freedns.afraid.org 69.42.215.252, 49774, 80 AWKNET-LLCUS United States 23->95 97 2 other IPs or domains 23->97 75 C:\Users\user\Documents\HTAGVDFUIE\~$cache1, PE32 23->75 dropped 113 Multi AV Scanner detection for dropped file 23->113 115 Drops PE files to the document folder of the user 23->115 117 Contains functionality to detect sleep reduction / modifications 23->117 38 WerFault.exe 23->38         started        40 WerFault.exe 23->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        file8 signatures9 process10 dnsIp11 123 Antivirus detection for dropped file 30->123 125 Machine Learning detection for dropped file 30->125 127 Uses schtasks.exe or at.exe to add and modify task schedules 30->127 49 xcopy.exe 30->49         started        52 schtasks.exe 30->52         started        89 ip-api.com 208.95.112.1, 49784, 49798, 49961 TUT-ASUS United States 33->89 129 May check the online IP address of the machine 33->129 87 C:\Users\user\...\._cache_File Explorer.exe, PE32 46->87 dropped 131 Injects code into the Windows Explorer (explorer.exe) 46->131 54 ._cache_File Explorer.exe 46->54         started        57 WerFault.exe 46->57         started        59 WerFault.exe 46->59         started        file12 signatures13 process14 dnsIp15 67 C:\Users\user\Desktop\srvhost.exe, PE32 49->67 dropped 61 conhost.exe 49->61         started        63 conhost.exe 52->63         started        91 ip-api.com 54->91 65 WerFault.exe 54->65         started        file16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2022-07-15 23:31:33 UTC
File Type:
PE (Exe)
Extracted files:
95
AV detection:
36 of 41 (87.80%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=puj77njgnvh4tdazoimjtr6xebewwbtcw4qqczwmb73kcpx7dcma._file
Verdict:
malicious
Similar samples:
14d08ecaea57ea71f7994f1de948cb087725d78a09748b0c26b5eca8a5531f70
DarkComet
1e3d5369ea28851f7013099f82d535b12e3e88c72ae190fdf571fb9beb9e0ace
DarkComet
98899ac8d50ecfc2508e7430c36d92fc8eff3a34faa630ae8225408749527c0b
DarkComet
a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f
DarkComet
b634a8041412c63c42bbc10264b4c70b6a84d8aeb01a7d75d89731bb551835ac
DarkComet
c17273757c3f732694ce9798a872ccd462ecc71397d880b63a428a7fad4296ff
DarkComet
ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4
DarkComet
dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb
DarkComet
f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a
DarkComet
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220716-nq6kbabeg3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4321ff5fbab8af8ab008a42a6412622e02e8bad632583beb841f9f1770f2e2b9
MD5 hash:
959929790d023dd310c1213173049301
SHA1 hash:
4cbdbef454433e408a41fac862d5315d988c0c52
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
SH256 hash:
8c751b182c88374bcf394d912e27b3ef855ea5a834cb619272c8de7bbc979925
MD5 hash:
3a2dd995c38097a52d377e3931901dd4
SHA1 hash:
c324a8ef201f5c17645ddbde9fb88bae3ece1370
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
SH256 hash:
ec69a99ab19bf64a1e80f16613021ae2e897dd05a8203ecea01d9fdf5f2a5a66
MD5 hash:
4d9a50e5f9547dd1a9e006595345cb1d
SHA1 hash:
e4209ba216c779ae405699ed1e8c2b470227fa82
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
SH256 hash:
3aa99c37e500da2e0bb7ab879c1f50839f10c101a3ae1c735da0e52e7601e01d
MD5 hash:
9a06f45dca4a7b2a33d8396668b24a9b
SHA1 hash:
934d183b91bae0f72af53aea48afed15016507c7
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
SH256 hash:
7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898
MD5 hash:
19a746b898deaa130c14968ba78cbc95
SHA1 hash:
5b2d1a94bc6dd99d118d57b3dc5f95632b4e0da4
Link:
https://www.unpac.me/results/eee07ac5-e803-461d-8727-3b936ca9288e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkComet

Executable exe 7d13ffb5266d4fc98c19721899c7d720496b0662b7210166cc0ff6a13eff1898

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/291198/

Comments