MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkComet

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997
SHA3-384 hash:	c62212290414084a682c1f98d712fa8de5ea7020a0de5d3dd074b334ff0e01b0e5fb59511dbd3ff0e866f04ecdb3c378
SHA1 hash:	c994c00fbd6b935f963be4bd548a202bda50cb07
MD5 hash:	7705cbb21d01877e944fda88286ac48a
humanhash:	uranus-avocado-leopard-arizona
File name:	file
Download:	download sample
Signature	DarkComet Create hunting rule
File size:	358'912 bytes
First seen:	2020-02-28 01:48:59 UTC
Last seen:	2020-02-28 01:52:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a38ad86d74cafc45094a5085e33419e4 (109 x DarkComet, 1 x njrat)
ssdeep	6144:WD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZODavMMV3:Wl8E4w5huat7UovONzbXwtEMV
Threatray	29 similar samples on MalwareBazaar
TLSH	35741234F6DDA95FCC423AF354166AAE01B2FEA19D41524372FAB25F05F1193EC9220E
Reporter	johannes
Tags:	DarkComet

viql

darkcomet via https://pastebin.com/raw/WyNDZUxc

Intelligence

File Origin

# of uploads :

# of downloads :

476

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2020-01-13 00:51:00 UTC

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Verdict:

malicious

DarkComet

1ba1a86e6f5e0e1e2f1a596018465345a90822163264c05647e8155edb88ce64

DarkComet

52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea

DarkComet

806edea6dcd7aba5324f6a3c9f1f9f84e80baf0667e76d0c1e44ffefbc0655b1

DarkComet

9a414edf4a549a14b576e23122187a56029f4277cccaaa40f20f3f30d9a4ab99

DarkComet

a6184cc11ae5e53a2c52fc668690561b0ed9b7217e0ff7c0b236bce30fba1da3

DarkComet

bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb

DarkComet

e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec

DarkComet

f52cc86d7cf14cdc0c501285f31418a702fb88fceb639e5c4b295f9d9bcadb29

DarkComet

fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3

DarkComet

+ 19 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence upx

Link:

https://tria.ge/reports/201109-1ak99cwnks/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Drops file in System32 directory

Adds Run key to start application

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa3981228b5b124a8b51fa64f8b6d5d05899165647dc50322b717d7ab63d4997

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::IsValidSid
MULTIMEDIA_API	Can Play Multimedia	msacm32.dll::acmStreamSize AVICAP32.DLL::capGetDriverDescriptionA winmm.dll::waveInOpen
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteA
URL_MONIKERS_API	Can Download & Execute components	URLMON.DLL::URLDownloadToFileA
WIN_BASE_API	Uses Win Base API	ntdll.dll::NtQuerySystemInformation KERNEL32.DLL::LoadLibraryA
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.DLL::WSAIoctl

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample