MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521
SHA3-384 hash:	c11a6444f88b2a95979fb525de577e6707709bd6642627e4458364f72f2f143bea892f71b02897cae50566ec28745c62
SHA1 hash:	2ccc0033adcb96f52aa0af850480465b62a76b0f
MD5 hash:	59b083bb93311967ade4787a38a71da4
humanhash:	oxygen-juliet-nuts-freddie
File name:	97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	701'440 bytes
First seen:	2021-02-28 07:08:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e5b4359a3773764a372173074ae9b6bd (60 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep	12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hr35Cxc:bZ1xuVVjfFoynPaVBUR8f+kN10EBfuc
Threatray	95 similar samples on MalwareBazaar
TLSH	FEE48E31F1808837D97219789C5F92E5982A7E202E39754B3AE62F4C5F3D6C2391A3D7
Reporter	JAMESWT_WT
Tags:	DarkComet

Intelligence

File Origin

# of uploads :

# of downloads :

930

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521

Verdict:

Suspicious activity

Analysis date:

2021-02-28 07:38:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/165b6b42-888e-4413-95ee-a7d3119e09f7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/119794/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Darkcomet Njrat

Detection:

malicious

Classification:

rans.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/620725

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes

Contains functionalty to change the wallpaper

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Detected Darkcomet RAT

Drops PE files to the document folder of the user

Drops PE files to the startup folder

Drops PE files with benign system names

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected DarkComet

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521/

Threat name:

Win32.Backdoor.Fynloski

Status:

Malicious

First seen:

2021-02-25 01:53:05 UTC

AV detection:

46 of 48 (95.83%)

Threat level:

5/5

Verdict:

malicious

DarkComet

04ecc8a39bb1236fb737256d4438f3781141a95d8d55576bd1a7e17a0c8b5aa0

DarkComet

1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b

DarkComet

1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a

DarkComet

4ddb173a67ca5a5ccce340d40afcbfae4bc7d929ab41c07a6972269c6c71348b

DarkComet

52363e55c329e7a7811cf4d16f659550d8b04643b3a5de3938a011d65b1cb8a0

DarkComet

967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d

DarkComet

9d8f404a77df431743b649f88642c7dd724c136eec43c94a55cfbb0f41d645c8

DarkComet

b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b

DarkComet

e3d039ff4df80a16aec37b13d85f4e75703de36b19694e3a70bae79b2eb46cc5

DarkComet

+ 85 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet persistence rat trojan

Link:

https://tria.ge/reports/210228-q1h3ewd28e/

Behaviour

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Adds Run key to start application

Darkcomet

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521

MD5 hash:

59b083bb93311967ade4787a38a71da4

SHA1 hash:

2ccc0033adcb96f52aa0af850480465b62a76b0f

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/ad38c1da-8c39-42c0-980d-c811b747a8a0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119794/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample