File name:

f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f

Full analysis: https://app.any.run/tasks/73e0e5da-a074-45ef-91d9-3c9fabd4a4f5
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: November 28, 2024, 05:13:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
antivm
rat
darkcomet
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

09CB9813E999BA59898BCBA4516D5318

SHA1:

43D6C65649A4E10DEF375C053A4360C166DEA226

SHA256:

F7A315AD149382EB922905D63FCDE968805E24BA9E605EFEFD2713452478B04F

SSDEEP:

24576:7IZt0DMzmLXTMFlvHzdnzU1uMmUUhSnYIjJhKwru4z:7IZt0DMzmLXTMFlvTlzU1uMmUUhSnYIZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 6544)

    • DARKCOMET has been detected (SURICATA)

      • mcsft.exe (PID: 6600)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6472)

    • Executable content was dropped or overwritten

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Starts CMD.EXE for commands execution

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Reads security settings of Internet Explorer

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)
      • mcsft.exe (PID: 6600)

    • Starts itself from another location

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Application launched itself

      • mcsft.exe (PID: 6576)

    • There is functionality for taking screenshot (YARA)

      • mcsft.exe (PID: 6600)

    • There is functionality for communication over UDP network (YARA)

      • mcsft.exe (PID: 6600)

    • Connects to unusual port

      • mcsft.exe (PID: 6600)

    • There is functionality for VM detection antiVM strings (YARA)

      • mcsft.exe (PID: 6600)

  • INFO

    • Reads the computer name

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)
      • mcsft.exe (PID: 6576)
      • mcsft.exe (PID: 6600)

    • Create files in a temporary directory

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Creates files or folders in the user directory

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • The process uses the downloaded file

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Process checks computer location settings

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)

    • Checks supported languages

      • f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe (PID: 6424)
      • mcsft.exe (PID: 6576)
      • mcsft.exe (PID: 6600)

    • Checks proxy server information

      • mcsft.exe (PID: 6600)

    • UPX packer has been detected

      • mcsft.exe (PID: 6600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:02:23 22:42:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 569344
InitializedDataSize: 4096
UninitializedDataSize: 3387392
EntryPoint: 0x3c5f80
OSVersion: 4
ImageVersion: 24.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 24.1.0.15
ProductVersionNumber: 24.1.0.15
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: WTGGJCLFY
CompanyName: MQCYBNAHT
FileDescription: HFUQOUDIC
ProductName: XEPEIQLZM
FileVersion: 24.01.0015
ProductVersion: 24.01.0015
InternalName: eaukjtd
OriginalFileName: eaukjtd.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe cmd.exe no specs conhost.exe no specs reg.exe mcsft.exe no specs #DARKCOMET mcsft.exe

Process information

PID
CMD
Path
Indicators
Parent process
6424"C:\Users\admin\Desktop\f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe" C:\Users\admin\Desktop\f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe
explorer.exe
User:
admin
Company:
MQCYBNAHT
Integrity Level:
MEDIUM
Description:
HFUQOUDIC
Exit code:
0
Version:
24.01.0015
Modules
Images
c:\users\admin\desktop\f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6472C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\uyqZT.bat" "C:\Windows\SysWOW64\cmd.exef7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6544REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\admin\AppData\Roaming\mcsft.exe" /fC:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6576"C:\Users\admin\AppData\Roaming\mcsft.exe" C:\Users\admin\AppData\Roaming\mcsft.exef7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exe
User:
admin
Company:
MQCYBNAHT
Integrity Level:
MEDIUM
Description:
HFUQOUDIC
Exit code:
0
Version:
24.01.0015
Modules
Images
c:\users\admin\appdata\roaming\mcsft.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6600C:\Users\admin\AppData\Roaming\mcsft.exeC:\Users\admin\AppData\Roaming\mcsft.exe
mcsft.exe
User:
admin
Company:
MQCYBNAHT
Integrity Level:
MEDIUM
Description:
HFUQOUDIC
Version:
24.01.0015
Modules
Images
c:\users\admin\appdata\roaming\mcsft.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
808
Read events
807
Write events
1
Delete events
0

Modification events

(PID) Process:(6544) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Mcrosoft
Value:
C:\Users\admin\AppData\Roaming\mcsft.exe
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exeC:\Users\admin\AppData\Local\Temp\uyqZT.battext
MD5:00ADBFF6DAEB73E56B0CAA0A367728EE
SHA256:C0C418DDF7EC4C6158BFD0D173527DF6A2D4330D19C06941C75E0AF9D5AF028A
6424f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exeC:\Users\admin\AppData\Roaming\mcsft.exeexecutable
MD5:8F0EC479793CBA642D0538008912221B
SHA256:944D5572F84353A025A923CE264FA0E18E2038DFB08F4C90306BFF2EA99F595A
6424f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exeC:\Users\admin\AppData\Local\Temp\uyqZT.txttext
MD5:00ADBFF6DAEB73E56B0CAA0A367728EE
SHA256:C0C418DDF7EC4C6158BFD0D173527DF6A2D4330D19C06941C75E0AF9D5AF028A
6424f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f.exeC:\Users\admin\AppData\Roaming\mcsft.txtexecutable
MD5:09CB9813E999BA59898BCBA4516D5318
SHA256:F7A315AD149382EB922905D63FCDE968805E24BA9E605EFEFD2713452478B04F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
9
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4804
RUXIMICS.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1468
svchost.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1468
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4804
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1468
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4804
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.59:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6600
mcsft.exe
94.73.33.36:1604
ygo.no-ip.info
Xtra Telecom S.A.
ES
malicious
4804
RUXIMICS.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1468
svchost.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
www.bing.com
  • 92.123.104.59
  • 92.123.104.28
  • 92.123.104.34
  • 92.123.104.31
  • 92.123.104.60
  • 92.123.104.32
whitelisted
google.com
  • 142.250.184.238
whitelisted
ygo.no-ip.info
  • 94.73.33.36
unknown
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.41
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
6600
mcsft.exe
A Network Trojan was detected
ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound
2192
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f7a315ad149382eb922905d63fcde968805e24ba9e605efefd2713452478b04f