MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b
SHA3-384 hash: 33d15c73f51a0db4a5a74fb887576a3d0686907ae5ee8438f71077a84138ab875877cdd62921fb153f4a05a53bc438e4
SHA1 hash: 2ad697b60cbe473b1eecbeee434462196bb96a4b
MD5 hash: 00f6d1603528412c36b95ff66e71835b
humanhash: montana-rugby-ink-single
File name:k40p一键刷入TWRP-A14.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:86'336'000 bytes
First seen:2025-05-19 00:38:43 UTC
Last seen:2025-05-19 00:40:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 1572864:yOhfcui3u4rjsJ88Y26FTkZYb6IKewZrzM4ZX78g2Yyr0lLRTDUKX60uRF5xZi:yOhE33u4kJ88xOk2bwZXIgnyr0JZDUwL
Threatray 423 similar samples on MalwareBazaar
TLSH T1FB183303B2814072C3D98575ED67DAB39B257DBE07F3057B36A89FC83F662407A26225
TrID 37.2% (.EXE) InstallShield setup (43053/19/16)
35.9% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
9.0% (.EXE) Win64 Executable (generic) (10522/11/4)
8.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon f0a46662cac4c1e2 (1 x DarkComet)
Reporter GDHJDSYDH1
Tags:DarkComet exe gh0st Gh0stRAT PurpleFox synaptics xred

Intelligence

File Origin
# of uploads :
2
# of downloads :
967
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682a7b39e5aa44ec2e1abcfe
Tags:
darkkomet vmdetect delphi madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 borland_delphi cmd evasive explorer fingerprint lolbin packed packed packed packer_detected remote rundll32
Link:
https://www.filescan.io/uploads/682a7db51de1514c68740a48/reports/85085c44-a765-45d2-baea-3ad428caa1a5/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b
Result
Threat name:
Gh0stCringe, GhostRat, Mimikatz, Running
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1693643
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample is not signed and drops a device driver
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Mimikatz
Yara detected RunningRAT
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1693643 Sample: k40p#U4e00#U952e#U5237#U516... Startdate: 19/05/2025 Architecture: WINDOWS Score: 100 99 freedns.afraid.org 2->99 101 hackerinvasion.f3322.net 2->101 103 10 other IPs or domains 2->103 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 129 18 other signatures 2->129 10 k40p#U4e00#U952e#U5237#U5165TWRP-A14.exe 1 6 2->10         started        13 TXPlatfor.exe 2->13         started        16 svchost.exe 1 2->16         started        18 13 other processes 2->18 signatures3 127 Uses dynamic DNS services 99->127 process4 dnsIp5 89 ._cache_k40p#U4e00...7#U5165TWRP-A14.exe, PE32 10->89 dropped 91 C:\ProgramData\Synaptics\Synaptics.exe, PE32 10->91 dropped 93 C:\ProgramData\Synaptics\RCXC7E1.tmp, PE32 10->93 dropped 95 C:\...\Synaptics.exe:Zone.Identifier, ASCII 10->95 dropped 21 ._cache_k40p#U4e00#U952e#U5237#U5165TWRP-A14.exe 6 10->21         started        25 Synaptics.exe 10->25         started        147 Antivirus detection for dropped file 13->147 149 Multi AV Scanner detection for dropped file 13->149 151 Drops executables to the windows directory (C:\Windows) and starts them 13->151 28 TXPlatfor.exe 13 1 13->28         started        97 C:\Windows\SysWOW64\Remote Data.exe, PE32 16->97 dropped 30 Remote Data.exe 16->30         started        105 hackerinvasion.f3322.net 18->105 107 127.0.0.1 unknown unknown 18->107 109 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49747, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->109 153 Changes security center settings (notifications, updates, antivirus, firewall) 18->153 155 Checks if browser processes are running 18->155 157 Contains functionality to detect sleep reduction / modifications 18->157 32 MpCmdRun.exe 18->32         started        34 WerFault.exe 18->34         started        36 splwow64.exe 18->36         started        file6 159 System process connects to network (likely due to code injection or exploit) 105->159 signatures7 process8 dnsIp9 65 HD_._cache_k40p#U4...7#U5165TWRP-A14.exe, PE32+ 21->65 dropped 67 C:\Users\user\AppData\Local\Temp\R.exe, PE32 21->67 dropped 69 C:\Users\user\AppData\Local\Temp69.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 21->71 dropped 131 Antivirus detection for dropped file 21->131 133 Multi AV Scanner detection for dropped file 21->133 38 N.exe 1 1 21->38         started        42 HD_._cache_k40p#U4e00#U952e#U5237#U5165TWRP-A14.exe 21->42         started        44 R.exe 3 2 21->44         started        111 docs.google.com 142.250.217.142, 443, 49725, 49726 GOOGLEUS United States 25->111 113 drive.usercontent.google.com 142.250.72.161, 443, 49728, 49729 GOOGLEUS United States 25->113 115 freedns.afraid.org 69.42.215.252, 49730, 80 AWKNET-LLCUS United States 25->115 73 C:\Users\user\DocumentsWZCVGNOWT\~$cache1, PE32 25->73 dropped 135 Drops PE files to the document folder of the user 25->135 46 WerFault.exe 25->46         started        75 C:\Windows\System32\drivers\QAssist.sys, PE32+ 28->75 dropped 137 Sample is not signed and drops a device driver 28->137 139 Opens the same file many times (likely Sandbox evasion) 30->139 48 conhost.exe 32->48         started        file10 signatures11 process12 file13 77 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 38->77 dropped 141 Antivirus detection for dropped file 38->141 143 Multi AV Scanner detection for dropped file 38->143 50 cmd.exe 1 38->50         started        79 C:\Users\user\AppData\Local\...\fastboot.exe, PE32 42->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\adb.exe, PE32 42->81 dropped 83 C:\Users\user\AppData\...\AdbWinUsbApi.dll, PE32 42->83 dropped 87 2 other malicious files 42->87 dropped 53 cmd.exe 42->53         started        85 C:\Windows\SysWOW64\4173500.txt, PE32 44->85 dropped 145 Creates a Windows Service pointing to an executable in C:\Windows 44->145 signatures14 process15 signatures16 117 Uses ping.exe to sleep 50->117 119 Uses ping.exe to check the status of other devices and networks 50->119 55 conhost.exe 50->55         started        57 PING.EXE 1 50->57         started        59 conhost.exe 53->59         started        61 chcp.com 53->61         started        63 mode.com 53->63         started        process17
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b
Gathering data
Threat name:
Win32.Virus.Napwhich
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 00:28:42 UTC
File Type:
PE (Exe)
Extracted files:
157
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=36gsviy2dzrc6z23fd2g4xvy2uhgcydmlymcs2nqg5wq2givayvq._file
Verdict:
malicious
Label(s):
xredbackdoor
Create hunting rule
Similar samples:
1e2dc8d95c5de085cde8fb90129bd3c3c38a742a5ce34ae07e536512abc51bc6
DarkComet
2093c40693b6684ea3eb4c6fccec07b765551b3c0f28cb6f14543aef86fdce3f
DarkComet
61437d273cb1204be0e52d3bc516ea98a6eadcfd044bdf034669773893b58a64
DarkComet
807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e
DarkComet
a0dcaaad349a927f3884901a3b0fee340241b07e5f2ad73dc008125a0b1bc0ee
DarkComet
df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b
DarkComet
error
DarkComet
+ 413 additional samples on MalwareBazaar
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor discovery persistence
Link:
https://tria.ge/reports/250519-azqnkafp71/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Zegost-9763840-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/d9444e94-2375-4bb7-b45d-0f278018d604
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkComet

Executable exe df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b

(this sample)

  
Link
https://tria.ge/250519-asl2ss1jy4
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments