MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352
SHA3-384 hash:	4418c97c544384164801ebb32d3c5da4fc5fa210be8b6a5424637a132e10ad8dc5fa8185844ff1bbfec38cfa3db66a52
SHA1 hash:	fcdaed8c771069c111afb78bd1d2ebaeb28a6688
MD5 hash:	f88cdbcb740a75972cfef27692239991
humanhash:	kilo-nitrogen-nebraska-mobile
File name:	Purchase Order 461.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	2'107'904 bytes
First seen:	2021-09-17 13:31:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	49152:f0PlF5VhfpvYkTjRwxoBdZDDmv6AKyEQclewdd5/l+:fURvYeRxTjmDwdd
Threatray	132 similar samples on MalwareBazaar
TLSH	T168A5E0F1516AC1C3F2E69DB11FCE8670B4F07ABCD8D8125D61D8AA25C2A27A410DD2FD
dhash icon	ecec94c4c4c4c4d4 (1 x DarkComet)
Reporter	Anonymous
Tags:	DarkComet exe

Intelligence

File Origin

# of uploads :

# of downloads :

867

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order 461.exe

Verdict:

Malicious activity

Analysis date:

2021-09-17 13:32:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2755ee77-6c4f-4071-b936-5c8d218aeaa8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/188708/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Launching a process

DNS request

Connection attempt to an infection source

Query of malicious DNS domain

Enabling autorun

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/61752c4c9a5a1e91c5d207c4/reports/b9cb1db5-1a23-40c2-ade4-9e9e4e23e0bc/overview

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4dfddfea-2bc4-4daf-8157-4594f278b931

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/852742

Signature

Allocates memory in foreign processes

Creates an undocumented autostart registry key

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

PE file contains section with special chars

Sample uses process hollowing technique

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction which cause usermode exception

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352/

Threat name:

Win32.Packed.Themida

Status:

Malicious

First seen:

2021-09-17 13:32:46 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wymry2qdr5wutzuud4an5vveltzqkd7qulwouor3hndc3rma6nja._file

Verdict:

malicious

DarkComet

36f82bc3bcd30f18bb210cd10881cfe13e9a22e06e26930828bb6c8a951bfafe

DarkComet

38b951946943714900dc29bb01ce025a84e0f52f095e2901e74a509b9499f2c6

DarkComet

864e6ddd9c09a95df11b80abbaa0b1a9a4fb890cb27ad21883f44853094bb0cd

DarkComet

8e76055823664f0cabcd8fdd17ccdef01f0dcc584346b59d8c0dfbfefa547ab2

DarkComet

9e4ef8eeb8d7eeab54ac5d61c175c32c82a9b7f4e6a28b1b776e789edffcfbbb

DarkComet

a9fe52010982ccd3628a5a882c019556b361c3fa7c29cb8052ff66f02bd28490

DarkComet

b99887f1364955d2872bedadab15a15a51429ec8aeb111859d50e24a9fd31342

DarkComet

f07c61b593733b1a8d2b35f0667a3d39988917f0ceaa73b474f9a559beddf992

DarkComet

+ 122 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:september 2021 evasion persistence rat trojan

Link:

https://tria.ge/reports/210917-qszwnaafaq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks BIOS information in registry

Identifies Wine through registry keys

Uses the VBS compiler for execution

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Darkcomet

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316

Unpacked files

SH256 hash:

12d103fa3bfad5c603d58f83f104954450fae7f00a529773f843085779116c43

MD5 hash:

e4fa6eabf2702c025fd6dc17aac43353

SHA1 hash:

92805a44c6209ec67140bb9fb04cac246419ad31

Link:

https://www.unpac.me/results/84f97338-9db1-4940-ae17-f9fc42975ea7/

SH256 hash:

4bc03c66976f669e87afbb27e3e62337c607d772b41bcbe4b9b6c9ade7629314

MD5 hash:

22d4ac099807b4d03c19044c87f59548

SHA1 hash:

526a1e2dd85a48b8c9f9734fb5f6682612ff25ab

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/84f97338-9db1-4940-ae17-f9fc42975ea7/

SH256 hash:

b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352

MD5 hash:

f88cdbcb740a75972cfef27692239991

SHA1 hash:

fcdaed8c771069c111afb78bd1d2ebaeb28a6688

Link:

https://www.unpac.me/results/84f97338-9db1-4940-ae17-f9fc42975ea7/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b6191c6a038f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b6191c6a038f6d49e6941f00ded6a45cf3050ff0a2ecea3a3b3b462dc580f352

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	pe_imphash Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/188708/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample