MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4
SHA3-384 hash:	8969ddeeee9ad22e676e92a1c601b2abc6a38a386285c219e7d83426c573aaee38c3d6db03c38dd4d2240643828d17c0
SHA1 hash:	593cca5864262da209fcfe7cfb91a49a913ca93e
MD5 hash:	4b65dd5f5ba00ec1b3e923e04045bd20
humanhash:	comet-kitten-vegan-four
File name:	4b65dd5f5ba00ec1b3e923e04045bd20.exe
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	466'944 bytes
First seen:	2021-10-07 09:01:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:khqP8uJabr9zqgzE3ElDPh9pX1dz89bXU:09s3EBPpl+XU
Threatray	181 similar samples on MalwareBazaar
TLSH	T1D2A423682375E5B0DCDE63B7671AA368325FBE42C26B51AB0851C935BD08FC32353D94
File icon (PE):
dhash icon	bb2829a5a448282c (1 x DarkComet)
Reporter	abuse_ch
Tags:	DarkComet exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

822

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4b65dd5f5ba00ec1b3e923e04045bd20.exe

Verdict:

Malicious activity

Analysis date:

2021-10-07 09:06:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5331e545-ac8c-4ac9-984f-209e023af889

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195739/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

DNS request

Connecting to a non-recommended domain

Connection attempt

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615eb794e3d213d202b9a12f/reports/9f8653bf-e4b5-4667-942b-1cea20fdd791/overview

Result

Threat name:

DarkComet

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/866183

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected DarkComet

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2021-10-07 02:48:40 UTC

AV detection:

26 of 45 (57.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4d54572tss5x236tp7zmtijcbakfyuf7cfycsbpmcbcne7imqpka._file

Verdict:

malicious

DarkComet

04fd7b2d4a88e576168ebc669d15c4507339d5d08722d333663809e4a8c2ebd3

DarkComet

15e84355978fd585af794a5aa1b61144a9197d1410219a4e129aca0ce953904d

DarkComet

5e7621b7f875f9e6c730454d916a2bc2acb7d8b1fbc1dbe7cdb1917d42f1590b

DarkComet

79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

DarkComet

843495a7b1864d2053d8d5079f0323e2af684559f73bea1c09d0a44f63d880c5

DarkComet

9bc104c639ac638fcb86080c375b1a376ff1804473d5010779d416ae905fac29

DarkComet

b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a

DarkComet

fdbd4ac1322e5a2c5ef5b808da68f48ca1ff111cd649c86aa0123c3d5538c7f0

DarkComet

+ 171 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet botnet:guest16 rat trojan

Link:

https://tria.ge/reports/211007-kzg2jacdcl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Darkcomet

Malware Config

C2 Extraction:

sommerishere.sytes.net:1678
ommerishere.sytes.net:1678
ommerishere.sytes.net:1679

Unpacked files

SH256 hash:

77cb2d2444989d1c9fdc8ebb72fb895b4cd16e99d9e00cb54395572326259f21

MD5 hash:

20b004edb95bceaed59c5a1efc74552d

SHA1 hash:

721ed3f126f7fbed8cbc48972c5f75c6c3878de3

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/332e6510-9ade-47f9-a774-4d03fc2b85b5/

Parent samples :

843495a7b1864d2053d8d5079f0323e2af684559f73bea1c09d0a44f63d880c5
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
6d9c353dc658f47d47d01c5e58d60b562cea4f2d22c233ea46913d0b5596113a
0f325763031ca17f78bce86d8f433325786b329d2fc2412d61e4fdd3db6d1acb
639d848640fcf0e6cbd1c6194b5e515cb4a94cba3290852108962233f654c79e
e72099ecd524f1e9bf60fec166471d0504a86ae5c9a45f9fb8ad79c8de0929dc
e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4

SH256 hash:

e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4

MD5 hash:

4b65dd5f5ba00ec1b3e923e04045bd20

SHA1 hash:

593cca5864262da209fcfe7cfb91a49a913ca93e

Link:

https://www.unpac.me/results/332e6510-9ade-47f9-a774-4d03fc2b85b5/

Malware family:

DarkComet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e0fbceff5394/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e0fbceff5394bb7d6fd37ff2c9a12208145c50bf11702905ec1044d27d0c83d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_DarkComet Create hunting rule
Author:	ditekSHen
Description:	Detects DarkComet

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator