MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
SHA3-384 hash: 3b40156f8f88fea4cad53e8768731e48fd85c8ae27b73294335e3653930bfae575afd7c102fc2a43907fde020d8b414f
SHA1 hash: dbf72c12e2426ffec61931b689aa6b125b5ea8da
MD5 hash: b1921a0b77624659f6bbaac0f9d399bf
humanhash: carolina-angel-robin-pennsylvania
File name:94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
Download: download sample
Signature DarkComet
Create hunting rule
File size:882'712 bytes
First seen:2020-11-12 14:33:13 UTC
Last seen:2024-07-24 19:12:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 445ace49ce8715761aa4689aa6290cc7 (7 x DarkComet)
ssdeep 12288:IhT54muwkQCvdoSFFf9fdVpKraZyKgOqirsas5mMf2Sa09EHy5HG6Dwa:o5pzqdoSFFFfdVEraaRhaRM+SJCyL
Threatray 3'492 similar samples on MalwareBazaar
TLSH 4415F1FC8E9E794AF10CC67DE8DDD9944C692D7AC49088CC34CA2DC227B36D587D056A
Reporter seifreed
Tags:DarkComet

Intelligence

File Origin
# of uploads :
2
# of downloads :
741
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.DarkKomet-9789772-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Setting a keyboard event handler
DNS request
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533650
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DarkComet
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 315929 Sample: s6qmLfR0YA Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 35 pagga.net 2->35 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 8 s6qmLfR0YA.exe 3 5 2->8         started        12 wscript.exe 1 2->12         started        14 wscript.exe 1 2->14         started        signatures3 process4 dnsIp5 37 192.168.2.1 unknown unknown 8->37 33 C:\Users\user\AppData\Local\...\soxvare.exe, PE32 8->33 dropped 16 soxvare.exe 1 8->16         started        19 wscript.exe 1 8->19         started        21 soxvare.exe 1 12->21         started        23 soxvare.exe 1 14->23         started        file6 process7 signatures8 41 Antivirus detection for dropped file 16->41 43 Multi AV Scanner detection for dropped file 16->43 45 Detected unpacking (changes PE section rights) 16->45 47 4 other signatures 16->47 25 soxvare.exe 2 16->25         started        29 soxvare.exe 21->29         started        31 soxvare.exe 1 23->31         started        process9 dnsIp10 39 pagga.net 25->39 57 Installs a global keyboard hook 25->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:36:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssrswi2ohlg2ocrg66ffmyqknkt463occzzhm3ryu5jbdyjrbcva._file
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
DarkComet
17ae41e1fde622159bcfd56e80ce0cdee5edfc147370e77091f17eed192d54e0
DarkComet
1f9ff29afc60eebf41511416db4988007f3d041744574ac144f88eaf82e52b25
DarkComet
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
DarkComet
4cd80b1158f28fc2c53e2f84e5ae119bf54cc2507a8d649e649f2cc6458bf2de
DarkComet
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944
DarkComet
78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
DarkComet
a3a2849495ec0b496a9270954ba4754d37c3ffba42890de7dc91318adc4dfd25
DarkComet
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
DarkComet
c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6
DarkComet
+ 3'482 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201112-3dj9cv1egx/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
MD5 hash:
b1921a0b77624659f6bbaac0f9d399bf
SHA1 hash:
dbf72c12e2426ffec61931b689aa6b125b5ea8da
Link:
https://www.unpac.me/results/7faacc9c-9298-48ac-bee1-b72eba54aab4/
SH256 hash:
29d178b91afe7b1e10914e2f126660ef0f45fbcb2195a4e6e37dbb8180c24552
MD5 hash:
6fd8a431872197f766d75d7b8b3a3eca
SHA1 hash:
50b0205fa53d195bd69f4533981871fe1a1beb9b
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/7faacc9c-9298-48ac-bee1-b72eba54aab4/
Parent samples :
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
94a32b234e3acda70a26f78a56620a6aa7cf6dc21672766e38a75211e13108aa
ce60e52706f38f48346bb145366a36a1388fa624babbec07762ab0120f194a8a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments