analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

wb2.exe

Full analysis: https://app.any.run/tasks/14ce8a7b-b853-47ad-b056-507af958659a
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 10:11:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
darkcomet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

C4453A958F8B7C51C67DD299BB88B6B4

SHA1:

229D5AD5E21AD0A94D330607A155BF1F85357499

SHA256:

F8EC1D4F17205E498C03BEEC935C06CE7281A2309371268B1AEC022C860A71B7

SSDEEP:

6144:bcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:bcW7KEZlPzCy37

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • wb2.exe (PID: 3964)

    • Changes the autorun value in the registry

      • wb2.exe (PID: 3964)
      • msdcsc.exe (PID: 3504)

    • Changes Security Center notification settings

      • msdcsc.exe (PID: 3504)

    • DARKCOMET was detected

      • msdcsc.exe (PID: 3504)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wb2.exe (PID: 3964)

    • Executable content was dropped or overwritten

      • wb2.exe (PID: 3964)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 2888)

    • Starts itself from another location

      • wb2.exe (PID: 3964)

    • Connects to unusual port

      • msdcsc.exe (PID: 3504)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 17:59:53+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 253952
InitializedDataSize: 4096
UninitializedDataSize: 487424
EntryPoint: 0xb58f0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Jun-2012 15:59:53
Detected languages:
  • English - United States
  • French - France
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFilename: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 07-Jun-2012 15:59:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00077000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00078000
0x0003E000
0x0003DC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.92413
.rsrc
0x000B6000
0x00001000
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.5198

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.34616
856
Latin 1 / Western European
French - France
RT_VERSION
2
7.02531
308
Latin 1 / Western European
English - United States
RT_CURSOR
3
7.16168
308
Latin 1 / Western European
English - United States
RT_CURSOR
4
7.32379
308
Latin 1 / Western European
English - United States
RT_CURSOR
5
7.17598
308
Latin 1 / Western European
English - United States
RT_CURSOR
6
7.15949
308
Latin 1 / Western European
English - United States
RT_CURSOR
7
7.1298
308
Latin 1 / Western European
English - United States
RT_CURSOR
4083
7.45862
524
Latin 1 / Western European
UNKNOWN
RT_STRING
4084
7.65064
1020
Latin 1 / Western European
UNKNOWN
RT_STRING
4085
6.84604
168
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

AVICAP32.DLL
KERNEL32.DLL
SHFolder.dll
URLMON.DLL
WS2_32.DLL
advapi32.dll
comctl32.dll
gdi32.dll
gdiplus.dll
msacm32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wb2.exe cmd.exe no specs cmd.exe no specs notepad.exe no specs attrib.exe no specs attrib.exe no specs #DARKCOMET msdcsc.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3964"C:\Users\admin\AppData\Local\Temp\wb2.exe" C:\Users\admin\AppData\Local\Temp\wb2.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
2888"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\admin\AppData\Local\Temp\wb2.exe" +s +hC:\Windows\System32\cmd.exewb2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3612"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\admin\AppData\Local\Temp" +s +hC:\Windows\System32\cmd.exewb2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
304notepadC:\Windows\system32\notepad.exewb2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3220attrib "C:\Users\admin\AppData\Local\Temp\wb2.exe" +s +hC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3868attrib "C:\Users\admin\AppData\Local\Temp" +s +hC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3504"C:\Users\admin\Documents\MSDCSC\msdcsc.exe" C:\Users\admin\Documents\MSDCSC\msdcsc.exe
wb2.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
2848notepadC:\Windows\system32\notepad.exemsdcsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
584
Read events
514
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3964wb2.exeC:\Users\admin\Documents\MSDCSC\msdcsc.exeexecutable
MD5:C4453A958F8B7C51C67DD299BB88B6B4
SHA256:F8EC1D4F17205E498C03BEEC935C06CE7281A2309371268B1AEC022C860A71B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3504
msdcsc.exe
176.40.67.65:1604
slowhead.duckdns.org
Tellcom Iletisim Hizmetleri A.s.
TR
malicious

DNS requests

Domain
IP
Reputation
slowhead.duckdns.org
  • 176.40.67.65
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3504
msdcsc.exe
A Network Trojan was detected
REMOTE [PTsecurity] DarkComet
3504
msdcsc.exe
A Network Trojan was detected
REMOTE [PTsecurity] Possible DarkComet-RAT activity
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
wb2.exe