MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a
SHA3-384 hash: ba7948a2a753be2d6fefcd956a5ed442d07b71bfbaaab7e053a5976744a1ff6f90671f7e9ae5468d516b09d651fe8853
SHA1 hash: 20bded958907454ad87040c2f9c8bbe81f1aba7f
MD5 hash: 0d3f19a7659758718fa2f98942158f80
humanhash: gee-sad-oklahoma-seven
File name:f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a
Download: download sample
Signature DarkComet
Create hunting rule
File size:659'797 bytes
First seen:2021-02-28 07:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 12288:nhxp3lZnT9bDuaI33deBh+M5xrITd6/JdGw15MV6lZjMhZ:nJlh9bDuaI0n7csuqKViAhZ
Threatray 489 similar samples on MalwareBazaar
TLSH 28E40102B6D588B3E57259355939A711A97C7C200F39DA9F67D40D2EEE30180A73AFB3
Reporter JAMESWT_WT
Tags:DarkComet

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a
Verdict:
Suspicious activity
Analysis date:
2021-02-28 09:01:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/02c1f5f0-4bde-40f9-ad17-05521f385099

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119908/
Detection(s):
Win.Dropper.DarkKomet-9371560-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Running batch commands
Creating a process from a recently created file
Creating a file in the %AppData% directory
Sending a UDP request
Setting a keyboard event handler
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Darkcomet
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620933
Signature
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionalty to change the wallpaper
Detected Darkcomet RAT
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DarkComet
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359459 Sample: UanUMrr8Er Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected DarkComet 2->36 8 UanUMrr8Er.exe 6 2->8         started        process3 file4 22 C:\Program Files (x86)\...\test.sfx.exe, PE32 8->22 dropped 11 cmd.exe 1 8->11         started        process5 process6 13 test.sfx.exe 7 11->13         started        16 conhost.exe 11->16         started        file7 24 C:\Users\user\AppData\Roaming\test.exe, PE32 13->24 dropped 18 test.exe 2 13->18         started        process8 dnsIp9 26 192.168.0.23, 1604 unknown unknown 18->26 28 192.168.2.1 unknown unknown 18->28 38 Antivirus detection for dropped file 18->38 40 Multi AV Scanner detection for dropped file 18->40 42 Detected Darkcomet RAT 18->42 44 7 other signatures 18->44 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2017-01-04 19:01:54 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6iq2xtbii6orie2tzx3jmomh5uqx2m7oumwmuz7bbjuompa57r5a._file
Verdict:
malicious
Similar samples:
04ecc8a39bb1236fb737256d4438f3781141a95d8d55576bd1a7e17a0c8b5aa0
DarkComet
1c876d45db060f5be86ab9a13496c0b280d3c6031f00bb4ffebae99566a9249b
DarkComet
1fccab885b5fbfef621f85299c5c698965a415f96e1966ef278d9268cb5d921a
DarkComet
4ddb173a67ca5a5ccce340d40afcbfae4bc7d929ab41c07a6972269c6c71348b
DarkComet
52363e55c329e7a7811cf4d16f659550d8b04643b3a5de3938a011d65b1cb8a0
DarkComet
967db64d16674b438203bc9303f8e7ad4f424ada45eb28330dd61295ee86786d
DarkComet
97eee5ecf6cc23c32ec2eadf116cc10976696962e7f2cd6c124b3761b4409521
DarkComet
9d8f404a77df431743b649f88642c7dd724c136eec43c94a55cfbb0f41d645c8
DarkComet
b54347c754b7095d0a38c7180eaa71e50c4431b7c721f7791483babb2610d17b
DarkComet
e5e350a37377f160c4258b2e765f3aacacb7d3b43926d0de767adcad6d93e87d
DarkComet
+ 479 additional samples on MalwareBazaar
Result
Malware family:
darkcomet
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet rat trojan
Link:
https://tria.ge/reports/210228-blr8bs15qj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
Darkcomet
Unpacked files
SH256 hash:
cb9fd37f0c5d0a253cc517e1358680452ebcc05cb9e6853ec2b7c57609977fa4
MD5 hash:
984a5e076747861d1c1e833d7de6d88e
SHA1 hash:
5c722bb1d3ed729a377c4e5de566c465dfbda4b2
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4f70294-4850-4f10-8db5-f12efa2690b8/
SH256 hash:
f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a
MD5 hash:
0d3f19a7659758718fa2f98942158f80
SHA1 hash:
20bded958907454ad87040c2f9c8bbe81f1aba7f
Link:
https://www.unpac.me/results/b4f70294-4850-4f10-8db5-f12efa2690b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f221abcc28479d141353cdf6963987ed217d33eea32cca67e10a68e63c1dfc7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119908/

Comments