File name:

Darkcomet RAT 5.3.1.zip

Full analysis: https://app.any.run/tasks/c29086e5-5e04-43c2-8761-9e0167e3a0c0
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: January 05, 2024, 21:05:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
covid19
darkcomet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9F9347ECF2CC6541FB64ACD6FC0A5749

SHA1:

6C0D454EC2068D1C7D502A167CA02C8DAFD0B244

SHA256:

BFE9A76229E6E502B7C542007CD976DD3B5E0D26190CDF7CC8A5E5AAB0A63F7D

SSDEEP:

393216:Yia1rsEqp8mxBktqBEH3JM/qbxhbRLEJt5RXtW3hg:Yl1rsEqJxChH3coxhbePK3hg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCOMET has been detected (YARA)

      • DarkComet.exe (PID: 1740)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • msdt.exe (PID: 2464)

    • Reads the Internet Settings

      • sdiagnhost.exe (PID: 1148)

    • Check the default browser

      • notepad++.exe (PID: 1504)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2020)
      • msdt.exe (PID: 2464)

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 2020)

    • Process drops legitimate windows executable

      • msdt.exe (PID: 2464)

    • Manual execution by a user

      • notepad++.exe (PID: 1504)
      • DarkComet.exe (PID: 1740)

    • Reads security settings of Internet Explorer

      • sdiagnhost.exe (PID: 1148)
      • msdt.exe (PID: 2464)

    • Create files in a temporary directory

      • msdt.exe (PID: 2464)

    • Checks supported languages

      • DarkComet.exe (PID: 1740)

    • Reads the computer name

      • DarkComet.exe (PID: 1740)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 2464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:02:25 11:40:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Darkcomet RAT 5.3.1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad++.exe gup.exe iexplore.exe iexplore.exe no specs msdt.exe no specs sdiagnhost.exe no specs #DARKCOMET darkcomet.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1148C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1504"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1740"C:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe" C:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe
explorer.exe
User:
admin
Company:
Unremote.org
Integrity Level:
MEDIUM
Description:
A remote administration tool from the cosmos
Exit code:
0
Version:
4.2.0.28
Modules
Images
c:\users\admin\desktop\darkcomet rat 5.3.1\darkcomet rat 5.3.1\darkcomet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2020"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Darkcomet RAT 5.3.1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2152"C:\Program Files\Internet Explorer\iexplore.exe" http://www.darkcomet-source.tk/C:\Program Files\Internet Explorer\iexplore.exe
notepad++.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2464 -modal 131714 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFB2A3.tmp -ep NetworkDiagnosticsWebC:\Windows\System32\msdt.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2700"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3032"C:\Program Files\Notepad++\updater\gup.exe" -v7.51 -px64C:\Program Files\Notepad++\updater\GUP.exe
notepad++.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
Total events
5 046
Read events
4 918
Write events
126
Delete events
2

Modification events

(PID) Process:(2020) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_3-win64-mingw.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
6
Suspicious files
150
Text files
70
Unknown types
1

Dropped files

PID
Process
Filename
Type
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\EN.initext
MD5:D5B95D8DBCDCC5BE0290067BE9043009
SHA256:48A43817F513A7DE5F033F842EA71DCEC7CFE45E2EDC87BE844E461D99E2572E
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\FR.initext
MD5:A8568B41DF3F0A47F875964E8FEEFA70
SHA256:F515EE7D43CF301FE771599C60E2771DB6F27E614AF6A4403771A0D99CB19BC7
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\ES.initext
MD5:4745B84E71D23454D2535CC608DE57D0
SHA256:EB0553309ACD121B01566C1CA297ED46E896E3AD11C486971E8FA7275A1FF061
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\GR.initext
MD5:8B35CDF90F3D89D2502E1F61B2BBF631
SHA256:FCA01673CB23ABD479B6D54D19A40A87E9D72B90ECC7F5D59AF14D192CC07C7C
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\AR.initext
MD5:4276808F92D3EFE8359CB03F9C45C9E1
SHA256:C4E0CD4D29594C9CB188DEAB7BB5F73FC6B3ED832468322ABC05B4E981C306C4
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\config.iniini
MD5:FACE4F2A1F63AB5DAF4456E3A46F62DC
SHA256:E529BCDCCA95735AEE7020A3B26312560584B78394CE971B3A729823DD148AAA
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\LV.initext
MD5:84E0FF162036F454D019B48BA6AF5F7A
SHA256:78F24B0B140943912A1130DA1ED3A20EB71126EE077793D19F990566FF633C3F
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\SR.initext
MD5:FDFC0EE3AD0F395E3078F600ED9BA689
SHA256:37DCDA2CD0682A3EDFE354111E0DD637BE6581A71E6C240AE5729CE9F6A05EF9
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\readme.txttext
MD5:EC0EB4AD970DC1D264BC6C6E7471428D
SHA256:BEC0F54669D35669D4E90E4AA588B96002B8A4E85048CE1CBF707F7F86AC250D
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\VN.initext
MD5:24874C298B575AE2AC496765AA5F3F6B
SHA256:B0B6AD746697E54CC76DCE834D963885D0284CCEEEB24DE62BE9EAF4BEE47EDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
svchost.exe
GET
304
69.192.161.44:80
http://x1.c.lencr.org/
unknown
unknown
492
lsass.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d08926ec3acba225
unknown
compressed
4.66 Kb
unknown
2152
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
unknown
unknown
2152
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin
unknown
binary
16 b
unknown
2152
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
unknown
xml
340 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1220
svchost.exe
239.255.255.250:3702
whitelisted
352
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
3032
GUP.exe
154.41.249.60:443
notepad-plus-plus.org
COGENT-174
US
unknown
492
lsass.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
352
svchost.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2152
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2152
iexplore.exe
72.21.81.200:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 154.41.249.60
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
www.darkcomet-source.tk
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 92.123.104.43
  • 92.123.104.63
  • 92.123.104.7
  • 92.123.104.49
  • 92.123.104.64
  • 92.123.104.51
  • 92.123.104.34
  • 92.123.104.11
  • 92.123.104.59
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 72.21.81.200
whitelisted

Threats

PID
Process
Class
Message
352
svchost.exe
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Darkcomet RAT 5.3.1.zip