analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DarkComet 5.3.1.2.rar

Full analysis: https://app.any.run/tasks/5fb8bff0-6941-465f-bf5b-e0aaeb5a4cad
Verdict: Malicious activity
Analysis date: March 31, 2020, 07:16:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

76D337626913FF281E1AC0D6DF35FA72

SHA1:

43333E7E77C58B47087D5CA24FD99BC09D375FEE

SHA256:

E3550AA28DA3B360FD874FF4AEB3A945374771BDC95D8B8C0EC18EC88DD2CA38

SSDEEP:

393216:PmcUW2P+MFbLZLx6HOrk9siI/hLqGexXOoGvj:mLFbtLh+si2JqGeA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DarkComet.exe (PID: 3304)
      • upnp.exe (PID: 1832)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DarkComet.exe (PID: 3304)
      • WinRAR.exe (PID: 3844)
  • INFO

    • Drops Coronavirus (possible) decoy

      • WinRAR.exe (PID: 3844)
    • Manual execution by user

      • DarkComet.exe (PID: 3304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: DarkComet 5.3.1\Celesty Binder\Celesty.exe
PackingMethod: Normal
ModifyDate: 2011:10:19 08:58:27
OperatingSystem: Win32
UncompressedSize: 2871808
CompressedSize: 1191943
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe darkcomet.exe upnp.exe

Process information

PID
CMD
Path
Indicators
Parent process
3844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DarkComet 5.3.1.2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3304"C:\Users\admin\Desktop\DarkComet 5.3.1\DarkComet.exe" C:\Users\admin\Desktop\DarkComet 5.3.1\DarkComet.exe
explorer.exe
User:
admin
Company:
Unremote.org
Integrity Level:
MEDIUM
Description:
A remote administration tool from the cosmos
Version:
4.2.0.28
1832"C:\Users\admin\AppData\Local\Temp\upnp.exe" -a 192.168.100.73 1604 1604 TCPC:\Users\admin\AppData\Local\Temp\upnp.exe
DarkComet.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 255
Read events
1 003
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
33
Text files
49
Unknown types
2

Dropped files

PID
Process
Filename
Type
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\IT.initext
MD5:1CB447996787264785C83D110C67AB13
SHA256:840DB2223BC47B37C44393BCE4CA8583D373EF6D70B6BC9143561190AA16CDCB
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\SE.initext
MD5:A1EDF15F421E4735C5701F0EA648B35D
SHA256:19E6EC75FBAADE63C3CF862F08C7C736DE9374521B377CE3CFE55D23970381DA
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\FR.initext
MD5:A8568B41DF3F0A47F875964E8FEEFA70
SHA256:F515EE7D43CF301FE771599C60E2771DB6F27E614AF6A4403771A0D99CB19BC7
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\LV.initext
MD5:84E0FF162036F454D019B48BA6AF5F7A
SHA256:78F24B0B140943912A1130DA1ED3A20EB71126EE077793D19F990566FF633C3F
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\NO.initext
MD5:832AF9C517EA93DF140200EADFEB3BD6
SHA256:570A67620D3E396B4BAD5AE46F7D72A4654625C965BDF04BD23D9341E867AC46
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Goodies\wallpaper_2.jpgimage
MD5:11D20F268B9A0DBC43F95C93ABD30E30
SHA256:0A62D0CE4F2ECDEC5CE2F7596BBBF97ED14FD8793C247C32B65A91BA6084BDD9
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\VN.initext
MD5:24874C298B575AE2AC496765AA5F3F6B
SHA256:B0B6AD746697E54CC76DCE834D963885D0284CCEEEB24DE62BE9EAF4BEE47EDD
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\AR.initext
MD5:4276808F92D3EFE8359CB03F9C45C9E1
SHA256:C4E0CD4D29594C9CB188DEAB7BB5F73FC6B3ED832468322ABC05B4E981C306C4
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\EN.initext
MD5:D5B95D8DBCDCC5BE0290067BE9043009
SHA256:48A43817F513A7DE5F033F842EA71DCEC7CFE45E2EDC87BE844E461D99E2572E
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3844.33408\DarkComet 5.3.1\Celesty Binder\Lang\ES.initext
MD5:4745B84E71D23454D2535CC608DE57D0
SHA256:EB0553309ACD121B01566C1CA297ED46E896E3AD11C486971E8FA7275A1FF061
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info