File name:

;.exe

Full analysis: https://app.any.run/tasks/9eae88c8-e918-4d6e-8822-ef95d2a925ad
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: June 29, 2024, 08:02:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
darkcomet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

7C304756EF8E3A88C2D0465AE8CC8CEC

SHA1:

5944F325D01EC4FE522F7D4D27023EFBC71FFF35

SHA256:

C6B12302F351BDFF7CBB41E5B2D20F1EAC04F78F8CF8D7B02978294D7728CFD6

SSDEEP:

6144:1qcSRy5lG3vCXxGmhhWRP6zpRzlZOOS4Ofk1n8X42fyj7:UcSRqlG3QzkRPQhAB4D18Xhfyj7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCOMET has been detected (YARA)

      • ;.exe (PID: 1484)

    • Changes the login/logoff helper path in the registry

      • ;.exe (PID: 1484)

    • Changes the autorun value in the registry

      • ;.exe (PID: 1484)

    • Drops the executable file immediately after the start

      • ;.exe (PID: 1484)

  • SUSPICIOUS

    • Connects to unusual port

      • ;.exe (PID: 1484)

  • INFO

    • Checks supported languages

      • TextInputHost.exe (PID: 5952)
      • ;.exe (PID: 1484)

    • Reads the computer name

      • TextInputHost.exe (PID: 5952)
      • ;.exe (PID: 1484)

    • Creates files or folders in the user directory

      • ;.exe (PID: 1484)

    • UPX packer has been detected

      • ;.exe (PID: 1484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 233472
InitializedDataSize: 4096
UninitializedDataSize: 507904
EntryPoint: 0xb5060
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT ;.exe textinputhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1484"C:\Users\admin\AppData\Local\Temp\;.exe" C:\Users\admin\AppData\Local\Temp\;.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\;.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5952"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
1 976
Read events
1 974
Write events
2
Delete events
0

Modification events

(PID) Process:(1484) ;.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Defender
Value:
C:\WINDOWS\system32\DCSCMIN\CcRlMr79xxTl\IMDCSC.exe
(PID) Process:(1484) ;.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:UserInit
Value:
C:\Windows\system32\userinit.exe,C:\WINDOWS\system32\DCSCMIN\CcRlMr79xxTl\IMDCSC.exe
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1484;.exeC:\Users\admin\AppData\Roaming\dclogs\2024-06-29-7.dctext
MD5:3300E220A2C3982464C265E497E51D29
SHA256:A5A678ECD675357DD33E914D32ED0E75D9545B7D2CF357B1158903266B0DC065
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
67
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
5764
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3800
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3800
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6896
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6896
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
3680
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4656
SearchApp.exe
92.123.104.33:443
r.bing.com
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1484
;.exe
10.0.2.15:1604
unknown
3800
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3792
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1132
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1544
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
r.bing.com
  • 92.123.104.33
  • 92.123.104.47
  • 92.123.104.61
  • 92.123.104.32
  • 92.123.104.52
  • 92.123.104.40
  • 92.123.104.28
  • 92.123.104.59
  • 92.123.104.43
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.68
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
self.events.data.microsoft.com
  • 52.168.112.66
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
www.bing.com
  • 92.123.104.28
  • 92.123.104.7
  • 92.123.104.22
  • 92.123.104.19
  • 92.123.104.32
  • 92.123.104.59
  • 92.123.104.52
  • 92.123.104.21
  • 92.123.104.33
whitelisted
th.bing.com
  • 92.123.104.33
  • 92.123.104.59
  • 92.123.104.22
  • 92.123.104.7
  • 92.123.104.32
  • 92.123.104.19
  • 92.123.104.21
  • 92.123.104.28
  • 92.123.104.52
whitelisted

Threats

No threats detected
No debug info