MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d
SHA3-384 hash: 12349df2b4e99a5ff234d91c3e3136ac233c432705c72ac8816fc697cd788aee93faf19758f38d96dee4a1eed7f38554
SHA1 hash: d7ab578bfdac92f5741f46361bbfeab3246bc940
MD5 hash: 0344d9439a0abefc67c14a8df8c5cc98
humanhash: jersey-carbon-cola-carolina
File name:cea8ac405bb7efe077aae3f912e1ba36.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:673'792 bytes
First seen:2020-03-31 18:28:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5b4359a3773764a372173074ae9b6bd (60 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep 12288:i9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h2:OZ1xuVVjfFoynPaVBUR8f+kN10EBk
Threatray 41 similar samples on MalwareBazaar
TLSH 60E48E31F1808837D97219789C5F92E6982A7E202E39754B3AE62F4C5F3D6C239193D7
Reporter abuse_ch
Tags:DarkComet exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://onedrive.live.com/download?cid=4D4D07581D39B63D&resid=4D4D07581D39B63D%21117&authkey=AEZ-8b0NVZTY-T0

Intelligence

File Origin
# of uploads :
1
# of downloads :
487
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Dealply-6888238-0
Create hunting rule

Win.Trojan.Fynloski-40
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 18:35:36 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
46 of 47 (97.87%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
DarkComet
04ecc8a39bb1236fb737256d4438f3781141a95d8d55576bd1a7e17a0c8b5aa0
DarkComet
17ae41e1fde622159bcfd56e80ce0cdee5edfc147370e77091f17eed192d54e0
DarkComet
1f9ff29afc60eebf41511416db4988007f3d041744574ac144f88eaf82e52b25
DarkComet
4cd80b1158f28fc2c53e2f84e5ae119bf54cc2507a8d649e649f2cc6458bf2de
DarkComet
5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944
DarkComet
78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398
DarkComet
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
DarkComet
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
DarkComet
e3d039ff4df80a16aec37b13d85f4e75703de36b19694e3a70bae79b2eb46cc5
DarkComet
+ 31 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

961b007ccba9f5db7cb09273ed00d8a492cf074997ea347952a3383cf903c5aa

DarkComet

Executable exe 967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d

(this sample)

  
Dropped by
MD5 cea8ac405bb7efe077aae3f912e1ba36
  
Dropped by
MD5 5dc417a8519bbb0ca5eb94681307da4a
  
Dropped by
GuLoader
  
Dropped by
SHA256 961b007ccba9f5db7cb09273ed00d8a492cf074997ea347952a3383cf903c5aa
  
Dropped by
SHA256 dbbf05d4386bca89d23e293ecb3b790bc7f204d7b78780ca5dff7d0fa246c506
  
URLhaus
https://urlhaus.abuse.ch/url/333075/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::GetSidSubAuthorityCount
advapi32.dll::GetSidSubAuthority
advapi32.dll::IsValidSid
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play Multimediamsacm32.dll::acmStreamClose
msacm32.dll::acmStreamConvert
msacm32.dll::acmStreamOpen
msacm32.dll::acmStreamPrepareHeader
msacm32.dll::acmStreamReset
msacm32.dll::acmStreamSize
NET_SHARE_APICan access Network Sharenetapi32.dll::NetShareEnum
netapi32.dll::NetShareGetInfo
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetSidIdentifierAuthority
advapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHFileOperationA
shell32.dll::SHGetFileInfoA
URL_MONIKERS_APICan Download & Execute componentsURLMON.DLL::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateRemoteThread
kernel32.dll::CreateProcessA
kernel32.dll::OpenProcess
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
ntdll.dll::NtQuerySystemInformation
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetVolumeInformationA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupAccountSidA
advapi32.dll::LookupPrivilegeDisplayNameA
advapi32.dll::LookupPrivilegeNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegCreateKeyA
advapi32.dll::RegDeleteKeyA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegOpenKeyA
advapi32.dll::RegQueryInfoKeyA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.DLL::WSAIoctl
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::ControlService
advapi32.dll::CreateServiceA
advapi32.dll::OpenSCManagerA
advapi32.dll::OpenServiceA
advapi32.dll::QueryServiceStatus
advapi32.dll::StartServiceA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExA
user32.dll::FindWindowA
user32.dll::LockWorkStation

Comments