MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87
SHA3-384 hash: 7546d279cca4801f7e268407683005ffcce82bfed43e4f5d509dd4b48b989cd12667476a62d870a43fc4662be988ba8f
SHA1 hash: 1ff67e17be21a81d92b56f9879f5c918e56a378c
MD5 hash: f7e38e4a8a47b047e6f295aeb9f503cf
humanhash: golf-angel-enemy-spaghetti
File name:7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87
Download: download sample
Signature DarkComet
Create hunting rule
File size:258'048 bytes
First seen:2020-11-12 13:59:04 UTC
Last seen:2024-07-24 16:48:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep 6144:JcNYk1yuwEDBum3qIWnl0pd0EX3Zq2b6wfIDYm0PHQ3:JcWkbgTIWnYnt/IDYhP
Threatray 61 similar samples on MalwareBazaar
TLSH 31442306FA660E09F2F8FC7F2AC257A7958C067BEEBD0052BB51970EF456A16071D309
Reporter seifreed
Tags:DarkComet

Intelligence

File Origin
# of uploads :
2
# of downloads :
565
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.DarkKomet-1
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Unauthorized injection to a system process
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 13:59:49 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4ycv6ebpbyubjlrcejd54bfhg3ekpn6ptlb36ebzpwjvrcd5sdq._file
Verdict:
malicious
Similar samples:
13429271d76c4c33d286cc91d897a1e81c7c442ba6523b56685562e73cb19e60
DarkComet
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea
DarkComet
70384e8c5ba3d348bf34e7071759c64c52fa2e21ac9c331e719cbf9116efa57d
DarkComet
7395e621436ad8035110faa105be92fe3155804d9c3900591605c4937e8566e6
DarkComet
8ede23556115292a84dac51f8542b37e33bf621b963791cd77017c3263c31952
DarkComet
9b72e407bfb2cab71a87f023aff2c3692893328852044037333a597f71592415
DarkComet
de0916556f63cf540c814626a4098d996a55ea99bfca9cc2032e0f6994c1479d
DarkComet
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
DarkComet
e8f040869e00b0d4dc00ddc6be5e0aaaaca6a700e16a1825592fc9924fee17e3
DarkComet
fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3
DarkComet
+ 51 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet persistence rat trojan upx
Link:
https://tria.ge/reports/201112-aqxjdypbjj/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87
MD5 hash:
f7e38e4a8a47b047e6f295aeb9f503cf
SHA1 hash:
1ff67e17be21a81d92b56f9879f5c918e56a378c
Link:
https://www.unpac.me/results/be1400e2-a83f-458c-a59c-c9e4f38c792b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7f302af881787140a57111123ef02539b6453dbe7cd61df881cbec9ac443ec87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments