MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 21

Intelligence 21 IOCs YARA 19 File information Comments

SHA256 hash:	ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3
SHA3-384 hash:	fdf9a7faabe0d7ba454cc1245f0e303672ee121b651f41ff3522c0f2bf04edaa4e5e6c6d1802d1840c86b165c9deed0b
SHA1 hash:	4ab214955569e8c6215505be00a08c242d37d47c
MD5 hash:	02b0ca7a20a0a519aebc21c04c77ed68
humanhash:	moon-november-iowa-eight
File name:	msdcsc.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	774'656 bytes
First seen:	2026-04-23 12:33:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e5b4359a3773764a372173074ae9b6bd (67 x DarkComet, 2 x njrat, 1 x NanoCore)
ssdeep	12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/htMsEA:mZ1xuVVjfFoynPaVBUR8f+kN10EBv+A
TLSH	T130F47C35F5808833D82239F89C5A91E654297E202D29764B36F63F4C4E39197FE1A2DF
TrID	32.7% (.EXE) Win32 Executable Delphi generic (14182/79/4) 23.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 15.0% (.EXE) Win64 Executable (generic) (6522/11/2) 10.3% (.EXE) Win32 Executable (generic) (4504/4/1) 4.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	307131b0b4b0b899 (1 x DarkComet)
Reporter	Anonymous
Tags:	DarkComet delphi exe RAT

Anonymous

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DarkComet

Details

DarkComet

a version, an RC4 key, c2 socket address(es), a password, a botnet, and other DarkComet configuration settings

Link:

https://research.acce.ciphertechsolutions.com/results/0d102201-3cdc-403a-8b40-a23d3d384963/

Malware family:

darkcomet

ID:

File name:

msdcsc.exe

Verdict:

Malicious activity

Analysis date:

2026-04-23 12:29:58 UTC

Tags:

darkcomet rat delphi

Link:

https://app.any.run/tasks/8c659206-b70d-4231-bdc9-cb0f973130f5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkComet

Link:

https://www.capesandbox.com/analysis/63324/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ea11a751cce3ff702f6222

Tags:

dropper emotet virus sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

DNS request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm borland_delphi darkcomet darkcomet darkkomet evasive explorer fingerprint keylogger keylogger lolbin packed

Link:

https://www.filescan.io/uploads/69ea119f8a82359247ae5151/reports/4ba39321-1d4c-4283-963c-2c8095fa8130/overview

Verdict:

Malicious

Labled as:

Backdoor.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-23T09:45:00Z UTC

Last seen:

2026-04-24T14:44:00Z UTC

Hits:

~10

Detections:

Trojan-Spy.Win32.Xegumumune.sbc HEUR:Backdoor.Win32.DarkKomet.gen Trojan.Win32.Agent.sb HEUR:Trojan.Win32.Generic Backdoor.Win32.Finlosky.bf Backdoor.Win32.DarkKomet.xyk Backdoor.Win32.DarkKomet.eku Backdoor.Win32.DarkKomet.diex Backdoor.Win32.DarkKomet.b PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3/results?tab=lookup

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21c0a63a-057a-4d09-ae01-c2b203132be3

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/02b0ca7a20a0a519aebc21c04c77ed68

Detection:

darkcomet

Link:

https://mwdb.cert.pl/sample/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3/

Verdict:

Malicious

Threat:

Family.DARKCOMET

Link:

https://tip.neiki.dev/file/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2026-04-23 12:34:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjb3ngxozvwxrmgyb2hkhdwctcgagfjhld577b5quqroyjvztxrq._file

Verdict:

malicious

Label(s):

darkcomet

Similar samples:

error

DarkComet

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:guest67 discovery persistence rat trojan

Link:

https://tria.ge/reports/260423-prg4sads9s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Family: Darkcomet

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

kvb.it.com:1604
nox.de.com:1604

Unpacked files

SH256 hash:

ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3

MD5 hash:

02b0ca7a20a0a519aebc21c04c77ed68

SHA1 hash:

4ab214955569e8c6215505be00a08c242d37d47c

Detections:

win_darkcomet_g0

win_darkcomet_a0

win_darkcomet_auto

triage_darkcomet_rat

Link:

https://www.unpac.me/results/e5d6d97a-ac7e-4fa7-9a19-32cebe4953d0/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ca43b69aeecd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca43b69aeecd6d78b0d80e8ea38ec2988c03152758fbff87b0a422ec26b99de3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	darkcomet_v1 Create hunting rule
Author:	RandomMalware

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

Rule name:	Windows_Trojan_Darkcomet_1df27bcc Create hunting rule
Author:	Elastic Security

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator