Overview

overview

10

Static

static

3

da8b7400c5...54.exe

windows7-x64

10

da8b7400c5...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/01/2025, 02:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54.exe

  • Size

    520KB

  • MD5

    a266f8d1087fdb7528c2c62a998be548

  • SHA1

    e4e313389b5ab5b452f5d7cd7c67a5aade214f4d

  • SHA256

    da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54

  • SHA512

    9832baeeb05a537a9778681d22c7e2f897081510cdc94a2b1c96ae1fa4d6d7c89f22f92b86c4c43dd2d74de28cf9789f8caeafa15fdd9bf515e7beeb48bc7e65

  • SSDEEP

    6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbJ:f9fC3hh29Ya77A90aFtDfT5IMbJ

Score
10/10
darkcometprivateeyediscoveryrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

C2

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes
  • gencode

    8GG5LVVGljSF

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54.exe
    "C:\Users\Admin\AppData\Local\Temp\da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54.exe
      "C:\Users\Admin\AppData\Local\Temp\da8b7400c560ffa402c051d820c245fe60922a49a3edb6db52a2a99112d46e54.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Windows\SysWOW64\ipconfig.exe
            "C:\Windows\system32\ipconfig.exe"
            5⤵
            • Gathers network information
            PID:944
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 272
              6⤵
              • Program crash
              PID:5112
        • C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4484
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944
    1⤵
      PID:1456

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      136.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
    • flag-us
      DNS
      133.130.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.130.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    • flag-us
      DNS
      ratblackshades.no-ip.biz
      winupd.exe
      Remote address:
      8.8.8.8:53
      Request
      ratblackshades.no-ip.biz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      136.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      136.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      140 B
       130 B
       2
      1

      DNS Request

      ratblackshades.no-ip.biz

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      210 B
       130 B
       3
      1

      DNS Request

      ratblackshades.no-ip.biz

      DNS Request

      ratblackshades.no-ip.biz

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      140 B
       130 B
       2
      1

      DNS Request

      ratblackshades.no-ip.biz

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      133.130.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      133.130.81.91.in-addr.arpa

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      140 B
       130 B
       2
      1

      DNS Request

      ratblackshades.no-ip.biz

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    • 8.8.8.8:53
      ratblackshades.no-ip.biz
      dns
      winupd.exe
      70 B
       130 B
       1
      1

      DNS Request

      ratblackshades.no-ip.biz

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      Filesize

      520KB

      MD5

      aee8d71d6dbc3cf071c2da4557556976

      SHA1

      30dd963a0bd98685af7d7a37335be94dca34e674

      SHA256

      9cf0542bf3aeda3a942e0577408a6f7244eddb62f2b3fb94ca04b628be151f24

      SHA512

      3d9964b5923909f3f35e3bd5b4270a4f0f47ba44687cc689c198229000eeed2ab837cffed607a1a990d7e41b8ca55a397c5a44b62d1da832accb9aff128c51d4

      Download Submit

    • memory/1100-3-0x0000000000400000-0x0000000000483000-memory.dmp

      Filesize

      524KB

      Download

    • memory/1100-2-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1100-9-0x0000000000400000-0x0000000000414000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1100-10-0x0000000000400000-0x0000000000483000-memory.dmp

      Filesize

      524KB

      Download

    • memory/3448-22-0x0000000000400000-0x0000000000483000-memory.dmp

      Filesize

      524KB

      Download

    • memory/3448-34-0x0000000000400000-0x0000000000483000-memory.dmp

      Filesize

      524KB

      Download

    • memory/3448-26-0x0000000000400000-0x0000000000483000-memory.dmp

      Filesize

      524KB

      Download

    • memory/4484-44-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-47-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-51-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-37-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-38-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-39-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-41-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-40-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-36-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-50-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-29-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-49-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-48-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-46-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4484-45-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/4632-6-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4632-20-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4632-4-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4632-19-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4960-42-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4960-35-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.