MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
SHA3-384 hash: dbcd176d96111fdb2567a5f34350a94ea994b642d7f17058d27f6262148e69959c23cfbf6108ca590fb5dd7244b01b3e
SHA1 hash: d1f62d7c700090f9d19a534109e783d13fd4ff48
MD5 hash: 0033390156302419d1c2443fb91b3b7d
humanhash: solar-cola-magazine-orange
File name:bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
Download: download sample
Signature DarkComet
Create hunting rule
File size:777'728 bytes
First seen:2021-02-23 15:30:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d617e643d715888a08eb0e79581244c (8 x DarkComet)
ssdeep 12288:19HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/G71:/Z1xuVVjfFoynPaVBUR8f+kN10Ed
Threatray 93 similar samples on MalwareBazaar
TLSH 1AF47E31F5C08837D9721E789C5B81E698267E212E39754B3AE62F0C5F3D6C2391A2D7
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118673/
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Dealply-6888238-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Launching a process
Setting a keyboard event handler
DNS request
Connection attempt
Enabling the 'hidden' option for analyzed file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615554
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Drops PE files to the document folder of the user
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356787 Sample: MiAouAtLEk Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 5 other signatures 2->61 7 MiAouAtLEk.exe 1 5 2->7         started        11 msdcsc.exe 2->11         started        13 msdcsc.exe 2->13         started        process3 file4 37 C:\Users\user\Documents\MSDCSC\msdcsc.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\Temp\LEGIT.EXE, PE32 7->39 dropped 41 C:\Users\user\...\msdcsc.exe:Zone.Identifier, ASCII 7->41 dropped 63 Contains functionality to log keystrokes 7->63 65 Drops PE files to the document folder of the user 7->65 67 Creates an undocumented autostart registry key 7->67 69 5 other signatures 7->69 15 msdcsc.exe 3 7->15         started        19 LEGIT.EXE 1 7->19         started        21 cmd.exe 1 7->21         started        23 cmd.exe 1 7->23         started        signatures5 process6 dnsIp7 43 exte.duckdns.org 88.229.0.210, 1604 TTNETTR Turkey 15->43 45 Antivirus detection for dropped file 15->45 47 Multi AV Scanner detection for dropped file 15->47 49 Contains functionality to log keystrokes 15->49 53 6 other signatures 15->53 25 notepad.exe 15->25         started        51 Machine Learning detection for dropped file 19->51 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 attrib.exe 1 21->31         started        33 conhost.exe 23->33         started        35 attrib.exe 1 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32/
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 23:38:45 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00bafc075224d7f64e56ed9d1163c024a4049f195c8fb2ed623a754916db31b6
DarkComet
208145a22fa6e10399360af479848df54672ea2eb542444e2f88c4299961971d
DarkComet
60134cb1f167c3d639e293f98e60eb794227b258966196b5cbdeb6e4baa5ad9e
DarkComet
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853
DarkComet
856bcc47f2c9617ed7e2c5f702dc5cea6713713da600229b2db076d64f24dfdf
DarkComet
8e958f6607d7071280237e933f588829fdd6dcf197064e951124bd07318ad9ee
DarkComet
a207dcc816a09d6e115c0a08015779c283906a358b66c94d531df9f6e73b1033
DarkComet
bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb
DarkComet
da0a4e16ef4baf46f27e666e9b4547cdf17eafad3caa235df6c29a52d3da8d0a
DarkComet
e8d4ad02e8811033f3ce05547774f6e9650ee66cf3f9221df656b326b8bd039d
DarkComet
+ 83 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet evasion persistence rat trojan upx
Link:
https://tria.ge/reports/210223-3e62r4vqjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
UPX packed file
Darkcomet
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
MD5 hash:
0033390156302419d1c2443fb91b3b7d
SHA1 hash:
d1f62d7c700090f9d19a534109e783d13fd4ff48
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/279195bf-9a56-4940-bc9f-6b5c4a4cd701/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/118673/

Comments