File name:

malware_for_sandbox_infected.rar

Full analysis: https://app.any.run/tasks/5b2f1a05-d21e-428c-a301-a17e26fd48d6
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Analysis date: April 15, 2025, 17:13:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
darkcomet
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

09812CE65FC847E345962AB0CB829758

SHA1:

7B9055EF3730BE71AADD2AD633AA20BE6519269B

SHA256:

2E1CA373A52B7732AC54AD95B12CA8238C0994ACB33452372DC945503E828B08

SSDEEP:

24576:jDwV08v445RXDXBpreVcKzgyVKuZ+aj5yZAJyZJzECNdizNiR2D5rQGZpA5oldUt:jDwV/v445RXDXBpreVcKzgyVKuZ+aj5g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • 11.exe (PID: 7180)
    • Changes the autorun value in the registry

      • 11.exe (PID: 7180)
    • DARKCOMET mutex has been found

      • IMDCSC.exe (PID: 7196)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7312)
      • 11.exe (PID: 7180)
    • Executable content was dropped or overwritten

      • 11.exe (PID: 7180)
    • Starts itself from another location

      • 11.exe (PID: 7180)
    • Connects to unusual port

      • IMDCSC.exe (PID: 7196)
  • INFO

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 7312)
    • The sample compiled with english language support

      • WinRAR.exe (PID: 7312)
      • 11.exe (PID: 7180)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7312)
    • Reads the computer name

      • 11.exe (PID: 7180)
      • IMDCSC.exe (PID: 7196)
    • Checks supported languages

      • 11.exe (PID: 7180)
      • IMDCSC.exe (PID: 7196)
    • Process checks computer location settings

      • 11.exe (PID: 7180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 275123
UncompressedSize: 675840
OperatingSystem: Win32
ModifyDate: 2015:03:06 12:15:28
PackingMethod: Normal
ArchivedFileName: 11.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs 11.exe #DARKCOMET imdcsc.exe

Process information

PID
CMD
Path
Indicators
Parent process
7180"C:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\11.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\11.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb7312.7619\11.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7196"C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe" C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe
11.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\documents\dcscmin\imdcsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7312"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\malware_for_sandbox_infected.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7460C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7492"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
2 678
Read events
2 667
Write events
11
Delete events
0

Modification events

(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\malware_for_sandbox_infected.rar
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(7180) 11.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DarkComet RAT
Value:
C:\Users\admin\Documents\DCSCMIN\IMDCSC.exe
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\12.exeexecutable
MD5:04B70D4D71892626CC3F840E7482EC46
SHA256:8884280995B92D4B122CF69EF707F43681120302EA2A81049E6AEC2F1ECF8472
7312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\11.exeexecutable
MD5:0D408AB23A49D8C7B29ED5420D2764D0
SHA256:57993591E0A2D3AB678CA1845C0544B7CB689D8AE470AF4897335FF2CE24BED9
7312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\14.exeexecutable
MD5:088414651E9415D53A62A691C5728A66
SHA256:B27A7D457D5F9B88D8ACFB20EB938017D74B3A1EBCC82379B987E5963BC0D109
718011.exeC:\Users\admin\Documents\DCSCMIN\IMDCSC.exeexecutable
MD5:0D408AB23A49D8C7B29ED5420D2764D0
SHA256:57993591E0A2D3AB678CA1845C0544B7CB689D8AE470AF4897335FF2CE24BED9
7312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb7312.7619\18.exeexecutable
MD5:39053070221731475E730D1BE9BBBD20
SHA256:86DB2B85EE8BAFB506518366FFE89EE7CACCE765D8803465688973DDD228FE43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8024
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
google.com
  • 172.217.18.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.131
  • 20.190.160.66
  • 20.190.160.64
  • 20.190.160.5
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info