MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash:	f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520
SHA3-384 hash:	6597a219c4bddfb066854e091f4532691a09764e0bed59ee5cb7d467e2afeccfcbbf78cabb3e076d284a778f9dfb1ecc
SHA1 hash:	5001e2e1decef170eea09de61d56f122a4394669
MD5 hash:	e0d467443093da7d4657af093a638beb
humanhash:	hydrogen-west-twelve-lamp
File name:	f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	1'617'920 bytes
First seen:	2020-11-06 11:36:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c1095bd21a25f9770e197ac07e27ecaf (1 x DarkComet)
ssdeep	24576:cOkPaVU1zWr/lYf3UhnXLK73vo7pmguOpXAzSywNm3fUA4tW1rSQ:72xa7icQnguyQNwNm30YA
Threatray	46 similar samples on MalwareBazaar
TLSH	3D75F15371F5C47AC5B210304E95AA69A7FBDE204F22BAC363843B1E1D749C54E3A27A
Reporter	seifreed
Tags:	DarkComet

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.PrivateExeProte-16

PUA.Win.Packer.Ep-7

PUA.Win.Packer.AcprotectUltraprotect-1

Win.Malware.Jrvt-6921771-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file

Enabling the 'hidden' option for recently created files

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Enabling the 'hidden' option for analyzed file

Creating a process from a recently created file

Setting a keyboard event handler

DNS request

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Blocking a possibility to launch for the Windows registry editor (regedit.exe)

Firewall traversal

Blocking the User Account Control

Blocking the Windows Security Center notifications

Blocking the Windows Security Center launch

Enabling autorun

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-26 18:45:21 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6rrgehpn4pjvjhqhvwlk7mxfva6n3zj4okq7n76ytep2wdk36uqa._file

Verdict:

malicious

DarkComet

23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374

DarkComet

54efc75509d102fe879aae2a49098bd2f05183502e0ee554a3f6c1a7a4367ad9

DarkComet

63576b3bcc6c0509b9855aaa0ff27fa949da6f878e39cedf0f1bbb504aff7a98

DarkComet

6dcdb6d07ab170263e6b46641863ab1611e79d88967ce376e709f02c42c95cdb

DarkComet

7624dfdc9137caa3238792759440cc52c94c9c306169292396bae3b8e31a8956

DarkComet

8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc

DarkComet

c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9

DarkComet

c960f47eb155a0066c0e4e279c296d0516edf66cf032b44188fe3d7f3a16aef6

DarkComet

fd869766f1f735b4c1479ec1300fd63f4a203142e4ed0e6ac18f05d1cdba3ac8

DarkComet

+ 36 additional samples on MalwareBazaar

Result

Malware family:

darkcomet

Score:

10/10

Tags:

family:darkcomet evasion persistence rat trojan

Link:

https://tria.ge/reports/201106-wf8yw669na/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Views/modifies file attributes

Modifies registry class

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Windows security modification

Checks computer location settings

Disables RegEdit via registry modification

Executes dropped EXE

Sets file to hidden

Darkcomet

Modifies WinLogon for persistence

Modifies firewall policy service

Modifies security service

Windows security bypass

Unpacked files

SH256 hash:

67501a3aa2783a43062fd792fae2b3a77171faba3194d88eb76b25795e0f4be2

MD5 hash:

fd236c380e99ed5b45c483dc140b8bf2

SHA1 hash:

543526b68fc57a69d041463b521f408689fdc424

Detections:

win_darkcomet_g0

win_darkcomet_auto

Link:

https://www.unpac.me/results/16338aa6-d329-4548-8a74-119662b06874/

SH256 hash:

026e91dafd275be2fb4566be3b2540bd3417e263152c6be2a403f8e9d2373de5

MD5 hash:

66c56b30d75b441bbf95098d724451fd

SHA1 hash:

50536b79785425355671c7685aba011f3f6288c5

Detections:

win_nitol_auto

Link:

https://www.unpac.me/results/16338aa6-d329-4548-8a74-119662b06874/

Parent samples :

f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520
5aa8b90ada476c908f1395556cfddea7ad4c1a8dc778aa3b4863b92c8877c026
69680d4c72acd442198c06b3b0965af97ee4ef29b57bb56469f1d40b6c573b48
351cb29f79ab4ce5a30bbc76d6a49135d1e6c9704884cb1f11a9b8a7fc5207e9

SH256 hash:

f462621dede3d3549e07ad96afb2e5a83cdde53c72a1f6ffd8991fab0d5bf520

MD5 hash:

e0d467443093da7d4657af093a638beb

SHA1 hash:

5001e2e1decef170eea09de61d56f122a4394669

Link:

https://www.unpac.me/results/16338aa6-d329-4548-8a74-119662b06874/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Intezer_Vaccine_DarkComet Create hunting rule
Author:	Intezer Labs
Description:	Automatic YARA vaccination rule created based on the file's genes
Reference:	https://analyze.intezer.com

Rule name:	IPPort_combo_mem Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	RAT_DarkComet Create hunting rule
Author:	Kevin Breen <kevin@techanarchy.net>
Description:	Detects DarkComet RAT
Reference:	http://malwareconfig.com/stats/DarkComet

Rule name:	win_darkcomet_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_icondown_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample