Analysis Overview
SHA256
bfe9a76229e6e502b7c542007cd976dd3b5e0d26190cdf7cc8a5e5aab0a63f7d
Threat Level: Known bad
The file Darkcomet RAT 5.3.1.zip was found to be: Known bad.
Malicious Activity Summary
Darkcomet family
Darkcomet
Executes dropped EXE
UPX packed file
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 08:55
Signatures
Darkcomet family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 08:55
Reported
2024-06-21 08:59
Platform
win10v2004-20240508-en
Max time kernel
155s
Max time network
85s
Command Line
Signatures
Darkcomet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upnp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4824 wrote to memory of 3276 | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | C:\Users\Admin\AppData\Local\Temp\upnp.exe |
| PID 4824 wrote to memory of 3276 | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | C:\Users\Admin\AppData\Local\Temp\upnp.exe |
| PID 4824 wrote to memory of 3276 | N/A | C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe | C:\Users\Admin\AppData\Local\Temp\upnp.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Darkcomet RAT 5.3.1.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe
"C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\DarkComet.exe"
C:\Users\Admin\AppData\Local\Temp\upnp.exe
"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.0.232 1604 1604 TCP
Network
Files
memory/4824-0-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/4824-1-0x0000000005B00000-0x0000000005B01000-memory.dmp
C:\Users\Admin\Desktop\Darkcomet RAT 5.3.1\config.ini
| MD5 | 0a5baccb60ddf613c9ef2b18e0b1863f |
| SHA1 | 39bb75213fab1a7b9ab51089ef54f43086d8b1f3 |
| SHA256 | 21a222e00ea35f663dc6c397c0a0aa6d80e52187644b170cee9e186892a22f4e |
| SHA512 | b24b4e15fc975f81e5e5216cc098f8a34faeb5f7b3f10fe8f9f4a19157abe62f293b4687440434744e5c5284736a9a472fc5d04f5fda72e94fe5e7140b36de9b |
memory/4824-39-0x0000000000400000-0x0000000000F67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upnp.exe
| MD5 | 13804f8dc4e72ba103d5e34de895c9db |
| SHA1 | 03d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5 |
| SHA256 | da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6 |
| SHA512 | 9abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652 |
memory/3276-47-0x0000000000400000-0x000000000040D000-memory.dmp
memory/4824-50-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/4824-49-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-51-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/3276-52-0x0000000000400000-0x000000000040D000-memory.dmp
memory/4824-53-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-55-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-57-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-58-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-59-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-60-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-61-0x0000000000400000-0x0000000000F67000-memory.dmp
memory/4824-62-0x0000000000400000-0x0000000000F67000-memory.dmp