MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6
SHA3-384 hash:	bbe314c0a786b18a84b8ba3716bf6403e209083e358e3d5926afa06db98bab1f347453a4fe8fc6bcf17d7a36006c9ddb
SHA1 hash:	2481b3aa2a0084a7aa8a5dae26e7a95bd948cd61
MD5 hash:	fe655433e25918abfbf8d0a748b53ebd
humanhash:	idaho-summer-green-equal
File name:	Recu.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	892'416 bytes
First seen:	2020-10-21 10:00:21 UTC
Last seen:	2020-10-25 18:57:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:O8twTmD53Aa72cgIxjtEKADCY7oJB1pNV0vpvQc:mmDSfFaxEKAOYQzzCvJt
Threatray	45 similar samples on MalwareBazaar
TLSH	3115F1303258B467C09D3937403ECF9783B1EA41BAF6D95F3095572DCB6248BA70AA5B
Reporter	abuse_ch
Tags:	DarkComet exe Outlook RAT

abuse_ch

Malspam distributing DarkComet:

HELO: EUR06-VI1-obe.outbound.protection.outlook.com
Sending IP: 40.92.17.52
From: beatrice dizy <dizys2@msn.com>
Subject: Re: Re:
Attachment: Recu.zip (contains "Recu.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/73983/

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Creating a file in the %AppData% directory

Launching cmd.exe command interpreter

Creating a process from a recently created file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2020-10-20 23:11:56 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zfqpi7vrkwqam3aojytzyklnaulo35tm6azliqmi7y6x6oqwv33a._file

Verdict:

malicious

DarkComet

17ae41e1fde622159bcfd56e80ce0cdee5edfc147370e77091f17eed192d54e0

DarkComet

1f9ff29afc60eebf41511416db4988007f3d041744574ac144f88eaf82e52b25

DarkComet

4cd80b1158f28fc2c53e2f84e5ae119bf54cc2507a8d649e649f2cc6458bf2de

DarkComet

5270cd6488da8841fbe6f1fa6b91f7b27be14bfcd52d1f2f3925cc2973ef4944

DarkComet

78b1751491463b0d579eda079654d1dfb9296b98e2867b4fdc765256e5962398

DarkComet

967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d

DarkComet

a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8

DarkComet

b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b

DarkComet

ea0493a75251c59cbf9ae40a8c3ed4a0808adf8071f4c297d4fe52ead18962ef

DarkComet

+ 35 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

trojan rat family:darkcomet persistence

Link:

https://tria.ge/reports/201021-t13kbn41dj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Darkcomet

Unpacked files

SH256 hash:

c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6

MD5 hash:

fe655433e25918abfbf8d0a748b53ebd

SHA1 hash:

2481b3aa2a0084a7aa8a5dae26e7a95bd948cd61

Link:

https://www.unpac.me/results/76b385d5-c907-4cc3-bd5b-668e74a42fb4/

SH256 hash:

4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd

MD5 hash:

304cc4a1948539064cfec5b70bd83e21

SHA1 hash:

32b3754f52323fd71b8349f01c9dd4bc4fecd880

Link:

https://www.unpac.me/results/76b385d5-c907-4cc3-bd5b-668e74a42fb4/

SH256 hash:

542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75

MD5 hash:

0ab09caf48c9dcbcbd53aef80493abd2

SHA1 hash:

fd985c8ed98d443fde035be26592b92662b9c5ea

Link:

https://www.unpac.me/results/76b385d5-c907-4cc3-bd5b-668e74a42fb4/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator