Malware analysis Darkcomet RAT 5.3.1.zip Malicious activity

Add for printing

File name:	Darkcomet RAT 5.3.1.zip
Full analysis:	https://app.any.run/tasks/78066446-3e1d-4861-b3d7-84e0cc6c621c
Verdict:	Malicious activity
Threats:	DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim. Malware Trends Tracker >>>
Analysis date:	August 15, 2024, 20:20:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	covid19 darkcomet
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	B81C14A01128F801AD3B976B9983662D
SHA1:	F618DCED3D25F65E524E9DCA116B6D54F9389F6D
SHA256:	8899EA5C26453CCF0855540A6215A5D4827C336E06BD067B83AFE5DB705CD64B
SSDEEP:	98304:+VCzJdxH9TQK4lHhqpYm2WtV3K5EjuRhOf9te/CP+MMcHWlbvHaaHkLNR+xRUOr/:JLj2LTH5exZi2/5NB6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - DarkComet.exe (PID: 3028)
  - msdcsc.exe (PID: 3076)
  - DarkComet.exe (PID: 5040)
  - DarkComet.exe (PID: 4788)
- Changes the login/logoff helper path in the registry
  - DarkComet.exe (PID: 3028)
- DARKCOMET has been detected (YARA)
  - msdcsc.exe (PID: 3076)
SUSPICIOUS
- Application launched itself
  - WinRAR.exe (PID: 6344)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 2228)
  - WinRAR.exe (PID: 6344)
  - DarkComet.exe (PID: 3028)
- Executable content was dropped or overwritten
  - DarkComet.exe (PID: 3028)
- Drops the executable file immediately after the start
  - DarkComet.exe (PID: 3028)
- Start notepad (likely ransomware note)
  - DarkComet.exe (PID: 3028)
- Reads the date of Windows installation
  - DarkComet.exe (PID: 3028)
- Starts itself from another location
  - DarkComet.exe (PID: 3028)
- There is functionality for taking screenshot (YARA)
  - msdcsc.exe (PID: 3076)
- There is functionality for communication over UDP network (YARA)
  - msdcsc.exe (PID: 3076)
INFO
- Drops a (possible) Coronavirus decoy
  - WinRAR.exe (PID: 2228)
  - WinRAR.exe (PID: 6656)
- Creates files or folders in the user directory
  - DarkComet.exe (PID: 3028)
  - msdcsc.exe (PID: 3076)
- Checks supported languages
  - DarkComet.exe (PID: 3028)
  - msdcsc.exe (PID: 3076)
  - DarkComet.exe (PID: 6852)
  - DarkComet.exe (PID: 5040)
  - DarkComet.exe (PID: 4788)
  - TextInputHost.exe (PID: 6160)
- Reads the computer name
  - DarkComet.exe (PID: 3028)
  - msdcsc.exe (PID: 3076)
  - DarkComet.exe (PID: 5040)
  - DarkComet.exe (PID: 6852)
  - TextInputHost.exe (PID: 6160)
  - DarkComet.exe (PID: 4788)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2228)
  - WinRAR.exe (PID: 6656)
- Process checks computer location settings
  - DarkComet.exe (PID: 3028)
- Manual execution by a user
  - DarkComet.exe (PID: 6852)
  - DarkComet.exe (PID: 5040)
  - DarkComet.exe (PID: 4788)
  - Taskmgr.exe (PID: 6864)
  - Taskmgr.exe (PID: 4540)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 4540)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0008
ZipCompression:	Deflated
ZipModifyDate:	2024:08:15 23:19:26
ZipCRC:	0x5122c283
ZipCompressedSize:	8761838
ZipUncompressedSize:	8774001
ZipFileName:	Darkcomet RAT 5.3.1/Darkcomet 5.3.1.rar

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

145

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2228

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa6344.3552\Darkcomet 5.3.1.rar"

C:\Program Files\WinRAR\WinRAR.exe

WinRAR.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3028

"C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\DarkComet.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\DarkComet.exe

WinRAR.exe

User:

admin

Company:

Microsoft Corp.

Integrity Level:

MEDIUM

Description:

Remote Service Application

Exit code:

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb2228.3852\darkcomet 5.3.1\darkcomet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

3076

"C:\Users\admin\AppData\Roaming\MSDCSC\msdcsc.exe"

C:\Users\admin\AppData\Roaming\MSDCSC\msdcsc.exe

DarkComet.exe

User:

admin

Company:

Microsoft Corp.

Integrity Level:

MEDIUM

Description:

Remote Service Application

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\appdata\roaming\msdcsc\msdcsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

4540

"C:\WINDOWS\system32\taskmgr.exe" /7

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll

4788

"C:\Users\admin\Desktop\Darkcomet 5.3.1\DarkComet.exe"

C:\Users\admin\Desktop\Darkcomet 5.3.1\DarkComet.exe

explorer.exe

User:

admin

Company:

Microsoft Corp.

Integrity Level:

MEDIUM

Description:

Remote Service Application

Exit code:

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\desktop\darkcomet 5.3.1\darkcomet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll

5040

"C:\Users\admin\Desktop\Darkcomet 5.3.1\DarkComet.exe"

C:\Users\admin\Desktop\Darkcomet 5.3.1\DarkComet.exe

explorer.exe

User:

admin

Company:

Microsoft Corp.

Integrity Level:

MEDIUM

Description:

Remote Service Application

Exit code:

Version:

1, 0, 0, 1

Modules

Images
c:\users\admin\desktop\darkcomet 5.3.1\darkcomet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll

6160

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

6344

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Darkcomet RAT 5.3.1.zip"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6656

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa6344.6730\Darkcomet 5.3.1.rar"

C:\Program Files\WinRAR\WinRAR.exe

WinRAR.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

27 534

Read events

27 421

Write events

112

Delete events

Modification events


(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Darkcomet RAT 5.3.1.zip
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6344) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

268

Text files

101

Unknown types

Dropped files

PID	Process	Filename		Type
6344	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa6344.3552\Darkcomet 5.3.1.rar		—
		MD5:—	SHA256:—
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Celesty.exe		executable
		MD5:C3009EE63BC661D9EA75EAEB256448CA	SHA256:0BB88564A22BFD6D9AD6E4D8EFA9077792A7B6094C2A0F865D70C43E11507352
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Lang\ES.ini		text
		MD5:4745B84E71D23454D2535CC608DE57D0	SHA256:EB0553309ACD121B01566C1CA297ED46E896E3AD11C486971E8FA7275A1FF061
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Lang\AR.ini		text
		MD5:4276808F92D3EFE8359CB03F9C45C9E1	SHA256:C4E0CD4D29594C9CB188DEAB7BB5F73FC6B3ED832468322ABC05B4E981C306C4
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Lang\SE.ini		text
		MD5:A1EDF15F421E4735C5701F0EA648B35D	SHA256:19E6EC75FBAADE63C3CF862F08C7C736DE9374521B377CE3CFE55D23970381DA
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Lang\EN.ini		text
		MD5:D5B95D8DBCDCC5BE0290067BE9043009	SHA256:48A43817F513A7DE5F033F842EA71DCEC7CFE45E2EDC87BE844E461D99E2572E
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\config.ini		text
		MD5:FACE4F2A1F63AB5DAF4456E3A46F62DC	SHA256:E529BCDCCA95735AEE7020A3B26312560584B78394CE971B3A729823DD148AAA
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\readme.txt		text
		MD5:EC0EB4AD970DC1D264BC6C6E7471428D	SHA256:BEC0F54669D35669D4E90E4AA588B96002B8A4E85048CE1CBF707F7F86AC250D
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\changelog.txt		text
		MD5:7A23E5B811DD52E99CBDB72A7FE4CE12	SHA256:7CF268D2FBBC3BB3E1CE2019D53F7C88B42F3BBCD4833AC69798D34FBD809DFE
2228	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2228.3852\Darkcomet 5.3.1\Celesty Binder\Lang\VN.ini		text
		MD5:24874C298B575AE2AC496765AA5F3F6B	SHA256:B0B6AD746697E54CC76DCE834D963885D0284CCEEEB24DE62BE9EAF4BEE47EDD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5924	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6512	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6480	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4576	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5336	SearchApp.exe	204.79.197.200:443	www.bing.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5924	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5924	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5336	SearchApp.exe	2.23.209.189:443	www.bing.com	Akamai International B.V.	GB	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
www.bing.com	204.79.197.200 13.107.21.200 2.23.209.189 2.23.209.177 2.23.209.166 2.23.209.176 2.23.209.182 2.23.209.175 2.23.209.183 2.23.209.173 2.23.209.130	whitelisted
login.live.com	40.126.32.76 40.126.32.133 20.190.160.22 40.126.32.74 20.190.160.20 40.126.32.136 40.126.32.72 40.126.32.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	2.23.209.189 2.23.209.185 2.23.209.187 2.23.209.177 2.23.209.183 2.23.209.179 2.23.209.130 2.23.209.181 2.23.209.182	whitelisted
arc.msn.com	20.223.35.26 20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
alfeed2.ddns.net	—	malicious

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.ddns .net

Add for printing

No debug info

General Info

Darkcomet RAT 5.3.1.zip

B81C14A01128F801AD3B976B9983662D

F618DCED3D25F65E524E9DCA116B6D54F9389F6D

8899EA5C26453CCF0855540A6215A5D4827C336E06BD067B83AFE5DB705CD64B

98304:+VCzJdxH9TQK4lHhqpYm2WtV3K5EjuRhOf9te/CP+MMcHWlbvHaaHkLNR+xRUOr/:JLj2LTH5exZi2/5NB6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

DARKCOMET has been detected (YARA)

SUSPICIOUS

Application launched itself

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Start notepad (likely ransomware note)

Reads the date of Windows installation

Starts itself from another location

There is functionality for taking screenshot (YARA)

There is functionality for communication over UDP network (YARA)

INFO

Drops a (possible) Coronavirus decoy

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Process checks computer location settings

Manual execution by a user

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings