MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3
SHA3-384 hash: a41e8f64ea9820158ac239b59a399dea76025a9c5ee16727356dfb977ec8501a16c6520400d7b123c4d1cffc25f38bed
SHA1 hash: 5d99a04c6571be80d5d821b57635991134ed61dd
MD5 hash: e8a195651fbf63416a1a4c5fc241d5c6
humanhash: two-ink-helium-timing
File name:KexFN.exe
Download: download sample
File size:782'336 bytes
First seen:2020-10-05 02:36:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufj:6nsJ39LyjbJkQFMhmC+6GD94
Threatray 318 similar samples on MalwareBazaar
TLSH C9F47D32F2D18477D1721B3D8C6BA3A5582ABE512E38794E7BF41E4C5F3D68128252E3
Reporter vm001cn
Tags:NjRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68026/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Reading critical registry keys
Launching a process
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480956
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Writes or reads registry keys via WMI
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292918 Sample: KexFN.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 63 cauth.me 2->63 65 xred.mooo.com 2->65 67 3 other IPs or domains 2->67 103 Multi AV Scanner detection for domain / URL 2->103 105 Antivirus detection for dropped file 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 11 other signatures 2->109 11 KexFN.exe 1 6 2->11         started        15 EXCEL.EXE 23 15 2->15         started        18 Synaptics.exe 2->18         started        signatures3 process4 dnsIp5 55 C:\Users\user\Desktop\._cache_KexFN.exe, PE32 11->55 dropped 57 C:\ProgramData\Synaptics\Synaptics.exe, PE32 11->57 dropped 59 C:\ProgramData\Synaptics\RCXD6A6.tmp, PE32 11->59 dropped 61 C:\...\Synaptics.exe:Zone.Identifier, ASCII 11->61 dropped 125 Contains functionality to detect sleep reduction / modifications 11->125 20 ._cache_KexFN.exe 17 13 11->20         started        25 Synaptics.exe 63 11->25         started        87 192.168.2.1 unknown unknown 15->87 127 Injects files into Windows application 15->127 file6 signatures7 process8 dnsIp9 69 raw.githubusercontent.com 20->69 71 github.com 140.82.121.4, 443, 49724 GITHUBUS United States 20->71 77 3 other IPs or domains 20->77 43 C:\temp\filed.exe, PE32 20->43 dropped 45 C:\temp\WebBrowserPassView.exe, PE32 20->45 dropped 47 C:\Users\user\...\._cache_KexFN.exe.log, ASCII 20->47 dropped 53 2 other files (none is malicious) 20->53 dropped 111 Antivirus detection for dropped file 20->111 113 Detected unpacking (overwrites its own PE header) 20->113 115 Machine Learning detection for dropped file 20->115 27 wscript.exe 2 20->27         started        73 xred.site50.net 153.92.0.100, 49753, 49755, 49796 AWEXUS Germany 25->73 75 freedns.afraid.org 50.23.197.93, 49739, 80 SOFTLAYERUS United States 25->75 79 13 other IPs or domains 25->79 49 C:\Users\user\Documents\LSBIHQFDVT\~$cache1, PE32 25->49 dropped 51 C:\Users\user\AppData\Local\...\8FJqRAZn.xlsm, Microsoft 25->51 dropped 117 Multi AV Scanner detection for dropped file 25->117 119 Drops PE files to the document folder of the user 25->119 121 Creates HTML files with .exe extension (expired dropper behavior) 25->121 123 Contains functionality to detect sleep reduction / modifications 25->123 file10 signatures11 process12 process13 29 wscript.exe 27->29         started        process14 31 cmd.exe 29->31         started        process15 33 WebBrowserPassView.exe 31->33         started        36 findstr.exe 31->36         started        38 systeminfo.exe 31->38         started        40 19 other processes 31->40 dnsIp16 89 Multi AV Scanner detection for dropped file 33->89 91 Machine Learning detection for dropped file 33->91 93 Tries to harvest and steal browser information (history, passwords, etc) 33->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->97 99 Writes or reads registry keys via WMI 36->99 81 myexternalip.com 216.239.32.21, 443, 49765 GOOGLEUS United States 40->81 83 127.0.0.1 unknown unknown 40->83 85 discordapp.com 40->85 101 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->101 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 02:38:07 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0299150a64cbdf7b7ec5048b5ddab864171910cf4ed9da586a44caa2228be443
1a64802e01d94712cb6daf8339296b78cf0a7a81251e80937d01d975b31938dc
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0
aed18091e44bb1a45419cd55517018c839a4c3463921c45b87f5ed7620a9a0c2
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
cc46386a34dedf7e75ceb2ca1d44cad29dfdd9822d85c2827fbfa114f3328dec
d59139b6c15fcf4c4ff16f195a07efc6183422c7ccaef5ff6b446d760365d9b3
eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05
f98bb09a67afe83ca7b041488f460d2a8b96224d77f21117d5b0076e04706dd4
+ 308 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201005-k7q1ldkvw2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers system information
Modifies registry class
Program crash
Adds Run key to start application
JavaScript code in executable
Looks up external IP address via web service
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3
MD5 hash:
e8a195651fbf63416a1a4c5fc241d5c6
SHA1 hash:
5d99a04c6571be80d5d821b57635991134ed61dd
Link:
https://www.unpac.me/results/0f2fe8f3-cc17-4ded-9474-790b06e3c183/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68026/

Comments