MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
SHA3-384 hash: 5c5396a032877f2e5fde3d186d8d85817db08ad36d05f2e6cb3915d7a344bac3e0ad0283d2f6c5cd351eddbb6f2b8162
SHA1 hash: 4906f7060ab6480b74f7595c35d980c6362fc5b2
MD5 hash: c024f8b0b4261b9be1b91c6ade2dda7c
humanhash: enemy-dakota-diet-pizza
File name:DarkComet - v.5.3.1 FWB.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:18'203'136 bytes
First seen:2022-10-09 15:59:26 UTC
Last seen:2022-10-09 17:22:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'663 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 196608:j9MP1MAjVO50UX2gZ71Sh2c8YcGrDUHFy0L+jvKqivOt4AdomZ0p1lm2fB1p4oUg:j9MP1Q6F8RC8tQRiqcU4mzKp1E2fBS
TLSH T11E073318B7FE2508CDA9A0F18F4D83E4C9654E0586434539AB6F3B216925D3B6FC23ED
TrID 73.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.5% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0c1e0e8dcd8cc6c (2 x DarkComet)
Reporter amogos123512
Tags:DarkComet exe RAT troll


Avatar
amogos123512
troll

Intelligence

File Origin
# of uploads :
4
# of downloads :
463
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
darkcomet
Create hunting rule
ID:
1
File name:
https://www.dosya.tc/server38/izkuzp/DarkComet_-_v.5.3.1_FWB.zip.html
Verdict:
Malicious activity
Analysis date:
2022-10-09 14:43:33 UTC
Tags:
darkcomet trojan rat
Link:
https://app.any.run/tasks/62faf966-b703-4d2b-9994-937896a60236

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1560.32725.12418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for recently created files
Creating a window
Creating a file in the Windows subdirectories
Launching a process
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6342f00452a501aa424812fb/reports/2d910a91-cbcd-427b-ae23-3c076ee54147/overview
Result
Verdict:
MALICIOUS
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/796cb16c-a6b6-47d4-8779-4044fc2b4aa6
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086528
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719085 Sample: DarkComet - v.5.3.1 FWB.exe Startdate: 09/10/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 5 other signatures 2->45 8 DarkComet - v.5.3.1 FWB.exe 4 2->8         started        process3 file4 23 C:\Users\user\...\DarkComet - v.5.3.1 FWB.exe, PE32 8->23 dropped 25 C:\ProgramData\DarkComet - v.5.3.1 FWB.exe, MS-DOS 8->25 dropped 27 C:\Users\...\DarkComet - v.5.3.1 FWB.exe.log, ASCII 8->27 dropped 11 DarkComet - v.5.3.1 FWB.exe 1 3 8->11         started        15 DarkComet - v.5.3.1 FWB.exe 8->15         started        process5 file6 29 C:\Windows\SysWOW64\MSDCSC\msdcsc.exe, MS-DOS 11->29 dropped 49 Creates an undocumented autostart registry key 11->49 51 Drops executables to the windows directory (C:\Windows) and starts them 11->51 53 Creates an autostart registry key pointing to binary in C:\Windows 11->53 17 msdcsc.exe 11->17         started        signatures7 process8 signatures9 31 Antivirus detection for dropped file 17->31 33 Contains functionalty to change the wallpaper 17->33 35 Machine Learning detection for dropped file 17->35 37 7 other signatures 17->37 20 iexplore.exe 17->20         started        process10 signatures11 47 Injects files into Windows application 20->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4/
Threat name:
ByteCode-MSIL.Backdoor.Daromec
Create hunting rule
Status:
Malicious
First seen:
2022-10-09 16:00:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rx4rtuj6pheayjqfhr5kkkp4hifutqg3o74vpm4mjhua5h73kosa._file
Verdict:
malicious
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:guest16 persistence rat trojan
Link:
https://tria.ge/reports/221009-tfmmcahbg5/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Darkcomet
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
dnsali.3utilities.com:1604
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf4fcaad-f0ed-445b-91d6-cf9d85573f29
Unpacked files
SH256 hash:
9726b5338ad442af484457875b53125949be30443c32ae30aaa7dca745ebcb35
MD5 hash:
baae76330a8ff174be812a43455ae9e4
SHA1 hash:
240d7d440ef530009fa47489f16a2a28e8404f93
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
SH256 hash:
561c24f9d8f8c667558a33ecef1f39cfae88f163f2618496aba96334afc3e9c5
MD5 hash:
caced8edc397df7d4fc63b6f9dc5f2e2
SHA1 hash:
b1ece378faa4f9ee8f384ca53302a0ec5c3d6073
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
SH256 hash:
4d5b0bb924898acc5937d9e5c373c11b19f0933e96e3d9a182fe64c683dfa5e5
MD5 hash:
e39e0912ed8f4111b85e7fa8c04cacbc
SHA1 hash:
1f89c439c4c00df08967535e6c52835d3f98cffc
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
SH256 hash:
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
MD5 hash:
34960f869aa933675a70c0c7c17addfe
SHA1 hash:
b01ec370b3571d70a2d111f35d5514cc7a18d422
Detections:
win_darkcomet_a0
Create hunting rule
win_darkcomet_auto
Create hunting rule
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
Parent samples :
55788187a18d12723bbba31b170c83008999a405625ea9f5525d6f655ad2d565
27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
SH256 hash:
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
MD5 hash:
d761f3aa64064a706a521ba14d0f8741
SHA1 hash:
ab7382bcfdf494d0327fccce9c884592bcc1adeb
Detections:
win_darkcomet_a0
Create hunting rule
win_darkcomet_g0
Create hunting rule
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
Parent samples :
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
SH256 hash:
35113dc6efb18cea57f44d90eb9b0e49f03cc6cc4345336fe6eee54f29785cc1
MD5 hash:
1ef90d6ca778e1a887fd02a7bb603522
SHA1 hash:
1ae355b65d79bdf1f3ad693484da21056c3f4e64
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
SH256 hash:
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
MD5 hash:
c024f8b0b4261b9be1b91c6ade2dda7c
SHA1 hash:
4906f7060ab6480b74f7595c35d980c6362fc5b2
Link:
https://www.unpac.me/results/31d82663-1fda-4897-baf5-a234f9c99c1b/
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8df919d13e79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:Malware_QA_update_RID2DAD
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:MALWARE_Win_DarkComet
Create hunting rule
Author:ditekSHen
Description:Detects DarkComet
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_darkcomet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments