MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6
SHA3-384 hash:	969e164c253117ba8ab41a78b5f10dff0dd1e03f5abda84332d0f8be0039cbaac97bb7a44b00427cc1c4e22f5bf1bddf
SHA1 hash:	8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5
MD5 hash:	3602f8e02342949364e8669e0c88f686
humanhash:	golf-apart-rugby-vermont
File name:	Payment 381.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	3'237'376 bytes
First seen:	2021-02-25 09:51:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:XiF15589IkXzaE4h9Y2/HK/lpwYHcB/0z8zn:SF1YXmE4h9Y2/q/lpHcBsQzn
Threatray	97 similar samples on MalwareBazaar
TLSH	6DE54CA1F40A62CBD48B1BB45567CE81686E47FC8B1008DBA89CF57A7D63DC011BED6C
Reporter	abuse_ch
Tags:	DarkComet exe RAT Yahoo

abuse_ch

Malspam distributing DarkComet:

HELO: sonic315-21.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.190.147
From: williams Green <williamsgreen1979@yahoo.com>
Subject: Payment
Attachment: Payment 381.zip (contains "Payment 381.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

907

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment 381.exe

Verdict:

No threats detected

Analysis date:

2021-02-25 09:53:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0dc8dc22-f975-454f-8bd8-895c6f679f9c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/119155/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

DNS request

Connection attempt to an infection source

Enabling autorun

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/618496

Signature

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sample uses process hollowing technique

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-02-25 09:52:08 UTC

AV detection:

13 of 46 (28.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q76run7vnzk4yign7cbjkxm2yn5ik66qx4jmjahko342iusdrk3a._file

Verdict:

malicious

DarkComet

32399283b913a66805becc7cfa8ea66a209d8842c2a128c5105a6db720618f11

DarkComet

57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018

DarkComet

632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c

DarkComet

6369b1ed4ab77dfaea18de4beb22c0ca26bd91eae120261c3657f079f88c1790

DarkComet

78b5af812d3f9f4aa0b6c8b1840c42a15cc9938e8926f933d51eebc205645da6

DarkComet

7c3c41d8da242f6ae707daaf842c0c0afb4ff541e3b009c62e51bc7d93eca86b

DarkComet

7c53cf8628e9d03bde5397b41277ee48b963122bc3d6ed0a090ee0908c04023d

DarkComet

b0c5153cf37bc26d5845c41dd969822cfc272186c49f0b447060259787bf024a

DarkComet

b81dece72c020fa2cb5f5df57f71de84142574d54ef1a165aff47ec171b618d0

DarkComet

+ 87 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet evasion persistence rat trojan

Link:

https://tria.ge/reports/210225-gk3kqfgm4s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks BIOS information in registry

Identifies Wine through registry keys

Uses the VBS compiler for execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Darkcomet

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

d1414e5c3e1f4a0cb27e50f6d55f9408a389e5bd61f650fc60302ba2fc490fca

MD5 hash:

0cf570c193eba5f1f86ab76c49bc6104

SHA1 hash:

f064b88f42b308e68bf5f3c518acba03730f0f69

Link:

https://www.unpac.me/results/b1ef82f9-6308-4912-af18-072cde051b5c/

SH256 hash:

fd923ca5379851020a4d5d4218ba67c3bb090144363457fd981016f71b359078

MD5 hash:

94313505a34498735e061a90846b1f35

SHA1 hash:

a61e50ed7ff9f1d5c8d02b70b6f9938c6e1a185f

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/b1ef82f9-6308-4912-af18-072cde051b5c/

SH256 hash:

87fd1a37f56e55cc20cdf882955d9ac37a857bd0bf12c480ea76f9a452438ab6

MD5 hash:

3602f8e02342949364e8669e0c88f686

SHA1 hash:

8b2f47300d6fecd4d5fcef477b7cbd63cf6ef8c5

Link:

https://www.unpac.me/results/b1ef82f9-6308-4912-af18-072cde051b5c/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator