File name: | Exploit Pack www.yourhacker.in.zip |
Full analysis: | https://app.any.run/tasks/6aeba81f-5c4f-4639-b405-9763a39b9b54 |
Verdict: | Malicious activity |
Threats: | DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim. |
Analysis date: | May 21, 2022, 03:14:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 1556E689004D8F31DBD7D06EF5E05695 |
SHA1: | 8C16FF871B70F74068F7D35A74FE27B444F9108E |
SHA256: | E4A182083C97B29550D76D1496910A0EDA566C80BC03612BFAFCB48F8F79C50B |
SSDEEP: | 196608:QXK9KW9x6BqzgXDML/XRqUJjqIgZRvvx55BKBQIPzZ8J1I1fBMTiC64:kGCB0cDML/bJuhZRHn5BKPqJ1WSWCl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | PDF Exploit Builder/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:12:31 07:20:16 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3064 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Exploit Pack www.yourhacker.in.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2676 | "C:\Users\admin\Desktop\REG Exploit Builder.exe" | C:\Users\admin\Desktop\REG Exploit Builder.exe | Explorer.EXE | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Reader 9.0 Exit code: 0 Version: 9.0.0.2008061200 Modules
| |||||||||||||||
624 | "C:\Users\admin\Desktop\PDF Exploit Builder\PDF Exploit Builder.exe" | C:\Users\admin\Desktop\PDF Exploit Builder\PDF Exploit Builder.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3564 | "C:\Users\admin\AppData\Local\Temp\REG Exploit Builder.exe" | C:\Users\admin\AppData\Local\Temp\REG Exploit Builder.exe | REG Exploit Builder.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225547 Modules
| |||||||||||||||
3360 | "cmd.exe" | C:\Windows\system32\cmd.exe | REG Exploit Builder.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2984 | reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\Macromed\FlashPlayerUpdateService.exe.lnk " /f | C:\Windows\system32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3968 | "C:\Users\admin\AppData\Local\Temp\svchost.exe" | C:\Users\admin\AppData\Local\Temp\svchost.exe | REG Exploit Builder.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
DarkComet(PID) Process(3968) svchost.exe Offline keyloggerTrue gencodegRoaiSdA59FN FWB0 sid3XPL01T MutexDC_MUTEX-ULRUWYX Version#KCMDDC51# C2 (1)subdomain-dns.duckdns.org:3725 | |||||||||||||||
240 | C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\Macromed\FlashPlayerUpdateService.exe.bat | C:\Windows\system32\cmd.exe | — | REG Exploit Builder.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2320 | timeout /t 300 | C:\Windows\system32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3388 | "C:\Users\admin\AppData\Local\Temp\PDF Exploit Builder.exe" | C:\Users\admin\AppData\Local\Temp\PDF Exploit Builder.exe | PDF Exploit Builder.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225547 Modules
|
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Exploit Pack www.yourhacker.in.zip | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3064) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3564 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\imdf.jpg | image | |
MD5:0594266AAA63C395D265E25CE523CA71 | SHA256:16FF57559194EF46E06D86B92B756877ABA7F794D410444BD59F66A208B45D47 | |||
2676 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\Macromed\FlashPlayerUpdateService.exe.lnk | lnk | |
MD5:C453F56553800045A1FE7B2CE9833202 | SHA256:A7B384D25279493BD4AA4B4B9BD3E69AA56B2FDF123392C57AB6BDD9B30498F4 | |||
3564 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\aut25C5.tmp | image | |
MD5:0594266AAA63C395D265E25CE523CA71 | SHA256:16FF57559194EF46E06D86B92B756877ABA7F794D410444BD59F66A208B45D47 | |||
2676 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\REG Exploit Builder.exe | executable | |
MD5:DB10D08958A7E6EF1293EEF3FF814CF0 | SHA256:5EC4BEF1D77025B0F7B888C053DC089C10C7907EC7D84139D80C59CE88C95E9A | |||
2676 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\svchost.exe | executable | |
MD5:30426476DE94A57F7807277BE471E32E | SHA256:DA5C2D3E6B5E937DB77E725E1C4BE5D1A7C32B9DA24D2A93CB86736087C466D0 | |||
3064 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3064.10670\PDF Exploit Builder\PDF Exploit Builder.exe | executable | |
MD5:9BE355706F21BA8F5DBD06224B7E5FED | SHA256:F37AC82BE444ADFEBCDDC1A2A0E1A5BA1EF90394067265F51A771A3896690C17 | |||
3064 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3064.4443\Office Exploit Builder\Office Exploit Builder.exe | executable | |
MD5:8D93FC41E0C81EEB49C21C3DFF98DBA0 | SHA256:594A74A9C410F18720BE87893B57302AF6647766FBBD16F5A1D5D8F402C21C4C | |||
3564 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\aut25D5.tmp | binary | |
MD5:CB68E4CE4BAC8B40E64064A76F765F76 | SHA256:45E7A6813B60E5F2F3E1F3B6E40AAC0380B61CC8C867DC3C975D7A946BA95431 | |||
2676 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\Macromed\FlashPlayerUpdateService.exe.bat | text | |
MD5:095C7A8B83C6BEEAF339B69A345B25A5 | SHA256:819D11AE9B5F46CC509D2DA61AD7B5D574F259201761EF499A739435B8E0D389 | |||
3564 | REG Exploit Builder.exe | C:\Users\admin\AppData\Local\Temp\16.mp3 | mp3 | |
MD5:0604FE07975C6953489625117E8C271B | SHA256:796394ADF1129CBDF55D8D7FAC67815D5CD0E9ED0B2D398804866B5667A13F8E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3968 | svchost.exe | 84.220.40.120:3725 | subdomain-dns.duckdns.org | Tiscali SpA | IT | unknown |
— | — | 84.220.40.120:3725 | subdomain-dns.duckdns.org | Tiscali SpA | IT | unknown |
Domain | IP | Reputation |
---|---|---|
subdomain-dns.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |