MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6
SHA3-384 hash: 8adf7c95173fd53a099acb5e4999c63902f306dfb0301f191e6697842ed95a467edb3e778255bfcbfcb7fdaf6a137d4f
SHA1 hash: 8787be602d23a2d26bec31698aea1afac2f29da2
MD5 hash: 2bb15bde23193d20e8346d34ed566de0
humanhash: coffee-enemy-magnesium-butter
File name:LisectAVT_2403002A_230.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:14'347'270 bytes
First seen:2024-07-24 23:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 23 x njrat, 18 x SalatStealer)
ssdeep 393216:1lGtPerFp7MtD4gb9inNfwbfq9AWV57IDKx1K:ywJNMagb9Cfwa57IDcK
Threatray 548 similar samples on MalwareBazaar
TLSH T100E63331B2908477D5261AB49C1FC2F66466BE102E38759B3AE13F0C9E3D1C37D5A2DA
TrID 80.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
6.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.2% (.EXE) InstallShield setup (43053/19/16)
1.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.5% (.SCR) Windows screen saver (13097/50/3)
Reporter Anonymous
Tags:DarkComet exe


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
Win.Trojan.DarkKomet-1
Create hunting rule

Win.Trojan.Darkkomet-7113180-0
Create hunting rule

Win.Trojan.Barys-9799359-0
Create hunting rule

Win.Dropper.Zeus-9820070-0
Create hunting rule

Win.Dropper.Darkkomet-9857869-0
Create hunting rule

Win.Trojan.Darkkomet-9857871-0
Create hunting rule

Win.Malware.Darkkomet-9857872-0
Create hunting rule

Win.Trojan.Darkkomet-6745084-0
Create hunting rule

Win.Trojan.Injector-6297685-1
Create hunting rule

Win.Trojan.Vobfus-6875610-0
Create hunting rule

Win.Trojan.Agent-345883
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a194d8cb3d02fa0e4980a1
Tags:
Execution Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file
Launching a process
Enabling the 'hidden' option for files in the %temp% directory
Connection attempt
Searching for the window
Searching for the Windows task manager window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Firewall traversal
Blocking the User Account Control
Blocking the Windows Security Center notifications
Blocking the Windows Security Center launch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm darkcomet evasive explorer fingerprint jorik keylogger lolbin overlay packed rat remote shell32
Link:
https://www.filescan.io/uploads/66a194d43acdc8d8268dd89f/reports/ee507908-1b4a-4fd4-8417-a56095a03e2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1e05508-233d-41dc-ba57-2d08b042c006
Result
Threat name:
DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1481007
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Disable Task Manager(disabletaskmgr)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables UAC (registry)
Disables windows user account control
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses cmd line tools excessively to alter registry or file data
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1481007 Sample: LisectAVT_2403002A_230.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 8 LisectAVT_2403002A_230.exe 3 2->8         started        process3 file4 37 Windows 10 KMS Act...timate 2015 1.3.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\Activator.exe, PE32 8->39 dropped 11 Activator.exe 1 3 8->11         started        15 Windows 10 KMS Activator Ultimate 2015 1.3.exe 7 8->15         started        process5 file6 41 C:\Windows\SysWOW64\winlogon\winlogon.exe, PE32 11->41 dropped 63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Creates an undocumented autostart registry key 11->67 69 3 other signatures 11->69 17 winlogon.exe 6 3 11->17         started        21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        signatures7 process8 dnsIp9 43 188.138.178.241, 1604, 49699 STARNET-ASMD Moldova Republic of 17->43 53 Antivirus detection for dropped file 17->53 55 Multi AV Scanner detection for dropped file 17->55 57 Changes security center settings (notifications, updates, antivirus, firewall) 17->57 61 7 other signatures 17->61 25 iexplore.exe 17->25         started        27 explorer.exe 17->27         started        59 Uses cmd line tools excessively to alter registry or file data 21->59 29 conhost.exe 21->29         started        31 attrib.exe 1 21->31         started        33 conhost.exe 23->33         started        35 attrib.exe 1 23->35         started        signatures10 process11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6/
Threat name:
Win32.Backdoor.Fynloski
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 23:57:08 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5c7qjklca63q6bb37bggaa3kxv2s4nxbzuccz2prfz4s6b45zdda._file
Verdict:
malicious
Similar samples:
070c46c82d06c5c7611be8b273b341f224b1eb2ba49d67743fe82fbd8c004a54
DarkComet
12d3ec70f3a079ae0216ee7b56722e2369eb664de0036e1422cbf6c3e159d324
DarkComet
315c067e09291f265db5a15ebeb0c96df1334ff2a7cec2411ede7a940a0322b3
DarkComet
4d7197c26f7e892d7a71fcd35b87955409a1be229d0363363bbcba41fc1260aa
DarkComet
8139c166d6dbebac912d37fb5d36a8c78a1ce7918ee228e929d98880638a4a08
DarkComet
821811011a73d5e48c99ea7b028f0eb6ec9e755d08b6cfe081a5d33ee045a1fc
DarkComet
dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
DarkComet
+ 538 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet botnet:asus discovery evasion persistence rat trojan
Link:
https://tria.ge/reports/240724-3zlc3ayard/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
Modifies firewall policy service
Modifies security service
Windows security bypass
Malware Config
C2 Extraction:
188.138.178.241:1604
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f74e2768-297f-4242-8e28-f7c06138076a
Unpacked files
SH256 hash:
8a99c29a7f8ff8169d4685e750ff99f92823b7ff20f87a36e35fdbcea7b8337a
MD5 hash:
9f38a3b2a8316ab8b2130860c2f057d8
SHA1 hash:
f7bd20a9772329226473556194a6014feb1f9925
Link:
https://www.unpac.me/results/2d3077b2-de4a-4c3a-8ce0-9a9304e611cb/
SH256 hash:
007507ea369502e630f9ab9221530080a25372f96f06822ef738a5c23ddfccdb
MD5 hash:
38e6371d7bbce0163d82906d0e3c3a49
SHA1 hash:
8580d9208b7852eb4548d2e256a7cf354a24aec0
Detections:
win_darkcomet_auto
Create hunting rule
win_darkcomet_a0
Create hunting rule
win_darkcomet_g0
Create hunting rule
RAT_DarkComet
Create hunting rule
Malware_QA_update
Create hunting rule
Link:
https://www.unpac.me/results/2d3077b2-de4a-4c3a-8ce0-9a9304e611cb/
SH256 hash:
e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6
MD5 hash:
2bb15bde23193d20e8346d34ed566de0
SHA1 hash:
8787be602d23a2d26bec31698aea1afac2f29da2
Detections:
win_darkcomet_a0
Create hunting rule
win_darkcomet_g0
Create hunting rule
RAT_DarkComet
Create hunting rule
Link:
https://www.unpac.me/results/2d3077b2-de4a-4c3a-8ce0-9a9304e611cb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CMD_Ping_Localhost
Create hunting rule
Rule name:DarkComet_2
Create hunting rule
Author:botherder https://github.com/botherder
Description:DarkComet RAT
Rule name:DarkComet_3
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Rule name:darkcomet_v1
Create hunting rule
Author:RandomMalware
Rule name:Intezer_Vaccine_DarkComet
Create hunting rule
Author:Intezer Labs
Description:Automatic YARA vaccination rule created based on the file's genes
Reference:https://analyze.intezer.com
Rule name:MALWARE_Win_DarkComet
Create hunting rule
Author:ditekSHen
Description:Detects DarkComet
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RAT_DarkComet
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects DarkComet RAT
Reference:http://malwareconfig.com/stats/DarkComet
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Darkcomet_1df27bcc
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe e8bf04a96207b70f043bf84c60036abd752e36e1cd042ce9f12e792f079dc8c6

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments