analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DarkComet_TR.rar

Full analysis: https://app.any.run/tasks/b699b693-8ad1-43d6-8113-7530ee4451bc
Verdict: Malicious activity
Analysis date: December 21, 2021, 16:07:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D4D5D007D04119A68D5A0D3037094812

SHA1:

A8107C010711D0A381EF3A94C903C55E33089A80

SHA256:

236D4D5EE68DEF3B09E759973999E47AD40CE3086615D695C9E949293D85A21B

SSDEEP:

24576:sY12I6Gxfjz/Lp5w/C3a5sGl89XQHS7/gGt7yJf9c9X:aBwPlOC3ksGnHS7efWX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DarkComet_TR.exe (PID: 880)
      • msdcsc.exe (PID: 2876)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3400)

    • Changes the login/logoff helper path in the registry

      • DarkComet_TR.exe (PID: 880)

    • Drops executable file immediately after starts

      • DarkComet_TR.exe (PID: 880)

    • Changes the autorun value in the registry

      • DarkComet_TR.exe (PID: 880)
      • msdcsc.exe (PID: 2876)

    • Changes Security Center notification settings

      • msdcsc.exe (PID: 2876)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2620)
      • msdcsc.exe (PID: 2876)
      • DarkComet_TR.exe (PID: 880)

    • Reads the date of Windows installation

      • DarkComet_TR.exe (PID: 880)

    • Checks supported languages

      • WinRAR.exe (PID: 2620)
      • msdcsc.exe (PID: 2876)
      • DarkComet_TR.exe (PID: 880)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2620)
      • DarkComet_TR.exe (PID: 880)

    • Starts itself from another location

      • DarkComet_TR.exe (PID: 880)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2620)

  • INFO

    • Checks supported languages

      • notepad.exe (PID: 2500)
      • notepad.exe (PID: 2700)

    • Manual execution by user

      • DarkComet_TR.exe (PID: 880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs darkcomet_tr.exe notepad.exe no specs msdcsc.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DarkComet_TR.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3400"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
880"C:\Users\admin\Desktop\DarkComet\DarkComet_TR.exe" C:\Users\admin\Desktop\DarkComet\DarkComet_TR.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
2500notepadC:\Windows\system32\notepad.exeDarkComet_TR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2876"C:\Users\admin\Desktop\DESKTOP\msdcsc.exe" C:\Users\admin\Desktop\DESKTOP\msdcsc.exe
DarkComet_TR.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
2700notepadC:\Windows\system32\notepad.exemsdcsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 947
Read events
2 863
Write events
84
Delete events
0

Modification events

(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2620) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DarkComet_TR.rar
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
1
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\comet.dbsqlite
MD5:741E20F201B66C0F744E6668EB2D93AE
SHA256:8B77089D895F98DFA0E0494220AB128C5B5A49A15EB9815CA55C5FE6915D3288
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\D�zeltmeler Hakkinda.txttext
MD5:F139C4E9DBB2EBCD05F314BF57D3C678
SHA256:AFE8C7739041ADE5AD56A0C73413C93C649B19D5F92A36B2AD55C46DB476951E
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\config.iniini
MD5:976AAA9F73E52D20CECE42C6FCA7405B
SHA256:46BEE605A573A5807B568FAFBF6BE8DB0DE66CB2EAE171C16AD87E4BB2AD1756
880DarkComet_TR.exeC:\Users\admin\Desktop\DESKTOP\msdcsc.exeexecutable
MD5:CE37AD03D245322EFC0D0D85FF61CB34
SHA256:78274F7CEA0A1DCBFD2309E74DEE9B4B76088330A1633466410895DA15AF4C09
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\DarkComet_TR.exeexecutable
MD5:CE37AD03D245322EFC0D0D85FF61CB34
SHA256:78274F7CEA0A1DCBFD2309E74DEE9B4B76088330A1633466410895DA15AF4C09
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\GeoIP.datbinary
MD5:B64EA0C3E9617CCD2F22D8568676A325
SHA256:432E12E688449C2CF1B184C94E2E964F9E09398C194888A7FE1A5B1F8CF3059B
2620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2620.279\DarkComet\sqlite3.dllexecutable
MD5:D3979DB259F55D59B4EDB327673C1905
SHA256:043E5570299C6099756C1809C5632EABEAB95ED3C1A55C86843C0EC218940E5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3.133.207.110:10153
4.tcp.ngrok.io
US
malicious
2876
msdcsc.exe
3.133.207.110:10153
4.tcp.ngrok.io
US
malicious

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
4.tcp.ngrok.io
  • 3.133.207.110
malicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to a *.ngrok domain (ngrok.io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DarkComet_TR.rar