MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
SHA3-384 hash: a1847de65ed6e2d01ffbb2dee031c4568b9ea664a9938ea2a735ce6dfd4b06a64aeb53b752dd237573f4d9ad95ae2cec
SHA1 hash: eeff536398034874344135014a64748062ecf7e7
MD5 hash: 1da41cbb96294f0f5fdcf6f5e4852316
humanhash: winner-bakerloo-spring-gee
File name:a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
Download: download sample
Signature DarkComet
Create hunting rule
File size:1'121'530 bytes
First seen:2021-08-30 06:21:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b8c9d9ab6fefc247adaf927e83dcea6 (1 x DarkComet)
ssdeep 24576:3xaVxr54Qcim6KKHdk9cRAbiMPT0VUGLie7fwCHxHBho8T:3WcimDGiD1GLie8CHVBho8T
Threatray 164 similar samples on MalwareBazaar
TLSH T159351292B5D090F9E8E932F1BD6B742022BA7E3C54E1934EA2B5771535B3243CD1A60F
dhash icon b2b29290f0f2b2b6 (1 x DarkComet, 1 x RedLineStealer)
Reporter JAMESWT_WT
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
754
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
Verdict:
Malicious activity
Analysis date:
2021-08-30 07:07:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e5ea762-9c5a-4349-9ad2-a3bf751a7abf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183547/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.31000066.27749.7131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Delayed reading of the file
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a process
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa563bb6-af3b-444a-bf72-68f9b2b4eccc
Result
Threat name:
Darkcomet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842076
Signature
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates files with lurking names (e.g. Crack.exe)
Creates multiple autostart registry keys
Detected Darkcomet RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474507 Sample: iCLDJpsKWn Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 92 Malicious sample detected (through community Yara rule) 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected DarkComet 2->96 98 Uses dynamic DNS services 2->98 14 iCLDJpsKWn.exe 1 13 2->14         started        process3 file4 66 C:\Users\user\AppData\Local\...\svhost.exe, PE32 14->66 dropped 68 C:\Users\user\AppData\Local\...\crack.exe, PE32 14->68 dropped 70 C:\Users\user\AppData\Local\...\Patch.exe, PE32 14->70 dropped 72 C:\Users\user\AppData\Local\...\IniCrack.exe, PE32 14->72 dropped 132 Creates files with lurking names (e.g. Crack.exe) 14->132 18 IniCrack.exe 2 14->18         started        signatures5 process6 signatures7 100 Multi AV Scanner detection for dropped file 18->100 21 cmd.exe 1 18->21         started        23 conhost.exe 18->23         started        process8 process9 25 crack.exe 1 3 21->25         started        29 svhost.exe 2 3 21->29         started        31 Patch.exe 21->31         started        file10 60 C:\Windows\SysWOW64\host\svhost.exe, PE32 25->60 dropped 108 Antivirus detection for dropped file 25->108 110 Multi AV Scanner detection for dropped file 25->110 112 Detected Darkcomet RAT 25->112 124 6 other signatures 25->124 33 svhost.exe 1 3 25->33         started        62 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 29->62 dropped 114 Drops PE files to the document folder of the user 29->114 116 Contains functionalty to change the wallpaper 29->116 118 Machine Learning detection for dropped file 29->118 120 Creates multiple autostart registry keys 29->120 36 msdcsc.exe 2 29->36         started        122 Tries to detect virtualization through RDTSC time measurements 31->122 39 WerFault.exe 31->39         started        41 WerFault.exe 31->41         started        signatures11 process12 dnsIp13 78 Antivirus detection for dropped file 33->78 80 Detected Darkcomet RAT 33->80 82 Contains functionalty to change the wallpaper 33->82 43 svhost.exe 3 33->43         started        74 192.168.2.8 unknown unknown 36->74 76 matzeleinchen.no-ip.biz 36->76 84 Multi AV Scanner detection for dropped file 36->84 86 Machine Learning detection for dropped file 36->86 88 Contains functionality to capture and log keystrokes 36->88 90 Installs a global keyboard hook 36->90 47 iexplore.exe 36->47         started        49 explorer.exe 36->49         started        signatures14 process15 file16 64 C:\Windows\SysWOW64\host\...\svhost.exe, PE32 43->64 dropped 126 Antivirus detection for dropped file 43->126 128 Multi AV Scanner detection for dropped file 43->128 130 Machine Learning detection for dropped file 43->130 51 svhost.exe 1 1 43->51         started        signatures17 process18 signatures19 102 Antivirus detection for dropped file 51->102 104 Multi AV Scanner detection for dropped file 51->104 106 Machine Learning detection for dropped file 51->106 54 svhost.exe 51->54         started        process20 process21 56 svhost.exe 54->56         started        process22 58 svhost.exe 56->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2012-04-20 10:04:00 UTC
File Type:
PE (Exe)
Extracted files:
95
AV detection:
37 of 46 (80.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhuzlq5ohxalxcbijj445nj7y3dshyhxrkxviuct6jnhsj6frk4a._file
Verdict:
malicious
Similar samples:
121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
DarkComet
2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952
DarkComet
846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8
DarkComet
8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
DarkComet
b41ce85e33620cf66ce5d7d284a31d784c89ad096f4d7cc79c50a8b1c121e5e9
DarkComet
b906fffb5dfe57a4a0704e2a89803ce0af2f9e6dc16338fab258051f1c8c4c0e
DarkComet
f75668dcd2d8c554bde126315253439858d2155588b1889473a7df5914537f10
DarkComet
+ 154 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:angrybirdsspace-1 persistence rat trojan upx
Link:
https://tria.ge/reports/210830-v7eqzastnx/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Darkcomet
Modifies WinLogon for persistence
Malware Config
C2 Extraction:
daveini12.no-ip.biz:177
192.168.0.119:177
Unpacked files
SH256 hash:
de7d1352ad024bc957a645fb3637c4655ed5692669ec5da577778bbe0f3815e9
MD5 hash:
ab22461e376361581e4c33e43fe9510e
SHA1 hash:
f732260f60373d296e32f28998bddf7bffed1635
Link:
https://www.unpac.me/results/8146291a-cd68-427a-821d-5bea3c87bb49/
SH256 hash:
b8ad3075fa5ab22901c46f4b0c2a98b0c4ff3f256418316d1ba873a65f657b9a
MD5 hash:
2b76a77a6978a80dce3ec219c62b3e4c
SHA1 hash:
6b7a1ec41477b83af59296856690d94ca3f9fa2f
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/8146291a-cd68-427a-821d-5bea3c87bb49/
SH256 hash:
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
MD5 hash:
1da41cbb96294f0f5fdcf6f5e4852316
SHA1 hash:
eeff536398034874344135014a64748062ecf7e7
Link:
https://www.unpac.me/results/8146291a-cd68-427a-821d-5bea3c87bb49/
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a1e995c3ae3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:Malware_QA_update
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file update.exe
Reference:VT Research QA
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183547/

Comments