File name:

Darkcomet RAT 5.3.1.zip

Full analysis: https://app.any.run/tasks/c29086e5-5e04-43c2-8761-9e0167e3a0c0
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: January 05, 2024, 21:05:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
covid19
darkcomet
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9F9347ECF2CC6541FB64ACD6FC0A5749

SHA1:

6C0D454EC2068D1C7D502A167CA02C8DAFD0B244

SHA256:

BFE9A76229E6E502B7C542007CD976DD3B5E0D26190CDF7CC8A5E5AAB0A63F7D

SSDEEP:

393216:Yia1rsEqp8mxBktqBEH3JM/qbxhbRLEJt5RXtW3hg:Yl1rsEqJxChH3coxhbePK3hg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCOMET has been detected (YARA)

      • DarkComet.exe (PID: 1740)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • msdt.exe (PID: 2464)

    • Reads the Internet Settings

      • sdiagnhost.exe (PID: 1148)

    • Check the default browser

      • notepad++.exe (PID: 1504)

  • INFO

    • Process drops legitimate windows executable

      • msdt.exe (PID: 2464)

    • Reads security settings of Internet Explorer

      • sdiagnhost.exe (PID: 1148)
      • msdt.exe (PID: 2464)

    • Drops the executable file immediately after the start

      • msdt.exe (PID: 2464)
      • WinRAR.exe (PID: 2020)

    • Manual execution by a user

      • DarkComet.exe (PID: 1740)
      • notepad++.exe (PID: 1504)

    • Create files in a temporary directory

      • msdt.exe (PID: 2464)

    • Checks supported languages

      • DarkComet.exe (PID: 1740)

    • Reads the computer name

      • DarkComet.exe (PID: 1740)

    • Drops a (possible) Coronavirus decoy

      • WinRAR.exe (PID: 2020)

    • Creates files or folders in the user directory

      • msdt.exe (PID: 2464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:02:25 11:40:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Darkcomet RAT 5.3.1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad++.exe gup.exe iexplore.exe iexplore.exe no specs msdt.exe no specs sdiagnhost.exe no specs #DARKCOMET darkcomet.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1148C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1504"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1740"C:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe" C:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exe
explorer.exe
User:
admin
Company:
Unremote.org
Integrity Level:
MEDIUM
Description:
A remote administration tool from the cosmos
Exit code:
0
Version:
4.2.0.28
Modules
Images
c:\users\admin\desktop\darkcomet rat 5.3.1\darkcomet rat 5.3.1\darkcomet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2020"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Darkcomet RAT 5.3.1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2152"C:\Program Files\Internet Explorer\iexplore.exe" http://www.darkcomet-source.tk/C:\Program Files\Internet Explorer\iexplore.exe
notepad++.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2464 -modal 131714 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFB2A3.tmp -ep NetworkDiagnosticsWebC:\Windows\System32\msdt.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2700"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3032"C:\Program Files\Notepad++\updater\gup.exe" -v7.51 -px64C:\Program Files\Notepad++\updater\GUP.exe
notepad++.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
Total events
5 046
Read events
4 918
Write events
126
Delete events
2

Modification events

(PID) Process:(2020) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_3-win64-mingw.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
6
Suspicious files
150
Text files
70
Unknown types
1

Dropped files

PID
Process
Filename
Type
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\NO.initext
MD5:832AF9C517EA93DF140200EADFEB3BD6
SHA256:570A67620D3E396B4BAD5AE46F7D72A4654625C965BDF04BD23D9341E867AC46
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\VN.initext
MD5:24874C298B575AE2AC496765AA5F3F6B
SHA256:B0B6AD746697E54CC76DCE834D963885D0284CCEEEB24DE62BE9EAF4BEE47EDD
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Celesty.exeexecutable
MD5:C3009EE63BC661D9EA75EAEB256448CA
SHA256:0BB88564A22BFD6D9AD6E4D8EFA9077792A7B6094C2A0F865D70C43E11507352
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\GR.initext
MD5:8B35CDF90F3D89D2502E1F61B2BBF631
SHA256:FCA01673CB23ABD479B6D54D19A40A87E9D72B90ECC7F5D59AF14D192CC07C7C
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\readme.txttext
MD5:EC0EB4AD970DC1D264BC6C6E7471428D
SHA256:BEC0F54669D35669D4E90E4AA588B96002B8A4E85048CE1CBF707F7F86AC250D
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\SE.initext
MD5:A1EDF15F421E4735C5701F0EA648B35D
SHA256:19E6EC75FBAADE63C3CF862F08C7C736DE9374521B377CE3CFE55D23970381DA
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\GeoIP.datbinary
MD5:B64EA0C3E9617CCD2F22D8568676A325
SHA256:432E12E688449C2CF1B184C94E2E964F9E09398C194888A7FE1A5B1F8CF3059B
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\DarkComet.exeexecutable
MD5:D761F3AA64064A706A521BA14D0F8741
SHA256:21CA06B18698D14154A45822AAAE1E3837D168CC7630BCD3EC3D8C68AAA959E6
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\Celesty Binder\Lang\SR.initext
MD5:FDFC0EE3AD0F395E3078F600ED9BA689
SHA256:37DCDA2CD0682A3EDFE354111E0DD637BE6581A71E6C240AE5729CE9F6A05EF9
2020WinRAR.exeC:\Users\admin\Desktop\Darkcomet RAT 5.3.1\Darkcomet RAT 5.3.1\changelog.txttext
MD5:7A23E5B811DD52E99CBDB72A7FE4CE12
SHA256:7CF268D2FBBC3BB3E1CE2019D53F7C88B42F3BBCD4833AC69798D34FBD809DFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
13
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
svchost.exe
GET
304
69.192.161.44:80
http://x1.c.lencr.org/
unknown
unknown
492
lsass.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d08926ec3acba225
unknown
compressed
4.66 Kb
unknown
2152
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
unknown
2152
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
unknown
xml
340 Kb
2152
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin
unknown
binary
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1220
svchost.exe
239.255.255.250:3702
whitelisted
352
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
3032
GUP.exe
154.41.249.60:443
notepad-plus-plus.org
COGENT-174
US
unknown
492
lsass.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
352
svchost.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2152
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2152
iexplore.exe
72.21.81.200:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 154.41.249.60
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
www.darkcomet-source.tk
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 92.123.104.43
  • 92.123.104.63
  • 92.123.104.7
  • 92.123.104.49
  • 92.123.104.64
  • 92.123.104.51
  • 92.123.104.34
  • 92.123.104.11
  • 92.123.104.59
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 72.21.81.200
whitelisted

Threats

PID
Process
Class
Message
352
svchost.exe
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Darkcomet RAT 5.3.1.zip