Overview

overview

10

Static

static

10

DarkComet-...er.zip

windows10-2004-x64

1

DarkComet-....1.zip

windows10-2004-x64

1

Darkcomet ...44.skn

windows10-2004-x64

3

Darkcomet ...45.skn

windows10-2004-x64

3

Darkcomet ...46.skn

windows10-2004-x64

3

Darkcomet ...47.skn

windows10-2004-x64

3

Darkcomet ...48.skn

windows10-2004-x64

3

Darkcomet ...49.skn

windows10-2004-x64

3

Darkcomet ...50.skn

windows10-2004-x64

3

Darkcomet ...51.skn

windows10-2004-x64

3

Darkcomet ...53.skn

windows10-2004-x64

3

Darkcomet ...54.skn

windows10-2004-x64

3

Darkcomet ...55.skn

windows10-2004-x64

3

Darkcomet ...56.skn

windows10-2004-x64

3

Darkcomet ...57.skn

windows10-2004-x64

3

Darkcomet ...58.skn

windows10-2004-x64

3

Darkcomet ...59.skn

windows10-2004-x64

3

Darkcomet ...61.skn

windows10-2004-x64

3

Darkcomet ...63.skn

windows10-2004-x64

3

Darkcomet ...64.skn

windows10-2004-x64

3

Darkcomet ...65.skn

windows10-2004-x64

3

Darkcomet ...66.skn

windows10-2004-x64

3

Darkcomet ...68.skn

windows10-2004-x64

3

Darkcomet ...71.skn

windows10-2004-x64

3

Darkcomet ...n8.skn

windows10-2004-x64

3

Darkcomet ...n9.skn

windows10-2004-x64

3

Darkcomet ...03.skn

windows10-2004-x64

3

Darkcomet ...99.skn

windows10-2004-x64

3

Darkcomet ...P2.skn

windows10-2004-x64

3

Darkcomet ...X3.skn

windows10-2004-x64

3

Darkcomet ...e3.dll

windows10-2004-x64

3

DarkComet-...DME.md

windows10-2004-x64

3

Analysis

  • max time kernel
    81s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Darkcomet RAT 5.3.1/skins/mxskin53.skn

  • Size

    49KB

  • MD5

    7eb5480a8e3d41286271a59bc5bcf680

  • SHA1

    8444a29d53766cc24afbbc0b57fdaee2732d6dee

  • SHA256

    7dc694d2c868db731b196f4379e8dcd47b007f2a693b0ac2467133418360d6e3

  • SHA512

    65f3d51e6923173446812c2b64aa2eaef931a88e8af99a120d7e8d59b9709b1e2bed0f9d47c7f450e1039d14bfa52edcf7eba426ff68ad144ee35d8a6f8b7943

  • SSDEEP

    768:SxfI1xbiLI8MNhryR5BsLT1+F/LDfrmzIAfkb/lixEFj1n9No7R41FPCMPuJMnW:YgV8aryLWLT2KzI7/lDR9NayGjmnW

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Darkcomet RAT 5.3.1\skins\mxskin53.skn"
    1⤵
    • Modifies registry class
    PID:848
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Darkcomet RAT 5.3.1\skins\mxskin53.skn"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Darkcomet RAT 5.3.1\skins\mxskin53.skn"
        3⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 27352 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {072a642d-ca54-46df-9bf0-725a33585cd8} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" gpu
          4⤵
            PID:1416
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2388 -prefsLen 28272 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e742ead5-d049-46f4-8358-5bf6083245e2} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" socket
            4⤵
            • Checks processor information in registry
            PID:848
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 1732 -prefMapHandle 3036 -prefsLen 28413 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6a84bcc-02bf-4864-8c89-ae999dd427b5} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" tab
            4⤵
              PID:4264
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 2 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 32762 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2ae9ea4-c386-4e73-99bc-1d74c8d7e0f9} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" tab
              4⤵
                PID:1100
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4652 -prefMapHandle 4884 -prefsLen 32762 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdcc9d46-ea1e-41a7-a831-9d4c79a7e3e2} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" utility
                4⤵
                • Checks processor information in registry
                PID:5608
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e0530dc-53c5-4c5f-84ff-049bfc4fe35f} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" tab
                4⤵
                  PID:6084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5512 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {356b663c-904f-43b8-a920-5d67d7d125f6} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" tab
                  4⤵
                    PID:6104
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b82343d-10f8-4722-aae2-bd311e283524} 1172 "\\.\pipe\gecko-crash-server-pipe.1172" tab
                    4⤵
                      PID:6116
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\mxskin53.skn"
                1⤵
                  PID:5368
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\mxskin53.skn
                    2⤵
                    • Checks processor information in registry
                    PID:5384
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:2908
                  • C:\Windows\system32\LogonUI.exe
                    "LogonUI.exe" /flags:0x4 /state0:0xa390c055 /state1:0x41c64e6d
                    1⤵
                    • Modifies data under HKEY_USERS
                    PID:1464

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\activity-stream.discovery_stream.json
                    Filesize

                    25KB

                    MD5

                    c6825ffe9257a17d1e40e7ae80875829

                    SHA1

                    010c4dc9a355a5ef75af72d3b7780d070ad492c4

                    SHA256

                    54f189b3379cb1c0bdebb1d5121a1bd4dd75a3f48e9d31a98a7c8b4cf5ad3a79

                    SHA512

                    0eed5a90017b3468b582558cce8323a43fc160766d0ad8ca1874e9ab596682b450b67b9ef4d951b0d7af6edf6e3c03251875e49b35e4ac0b657d85b4234e32eb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    87ec234cdf88fd5bfaa94a957c2b0971

                    SHA1

                    b0d8e1a4b7a986e62dbf29956ab55bd5132f7284

                    SHA256

                    cbbd213bec9aaecfc36b4f5b3771d4756129cc019fd6e8df48de1d53028fde18

                    SHA512

                    d7de11f85f3b9da931765f5b5f3d99b94a6588a02ce80df01dd133eccf3c0ea5801fb6f75d57f7b6bd72a5f3bf2ebd686a7cb8b7b8f8fb679aa12e01abcb1ace

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\8316310c-b123-420e-9160-1e3e66424eee
                    Filesize

                    982B

                    MD5

                    fea3b439faa773bd1dde887d19ba9d99

                    SHA1

                    848211f45fcd447b7178eadefecbd55eff2141c8

                    SHA256

                    c8fc04a7fd747c7ede2823a238a2177e0522bedaca1349e0917fec50abe38188

                    SHA512

                    ad0d7a6d1dc660b3377bf8faf0de2ebde996d7a686d3b6e8416fff34496bfa3ba28491898da177e262c4e88e15c45f0fb630a9b2d5b37428128b74f565cfead4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\a889cd43-241f-4470-bfec-9fa25a6416a2
                    Filesize

                    26KB

                    MD5

                    96cd4dddbbb1f8b8cd84f1808cb4f790

                    SHA1

                    7fb927f854ef9ee09c22a9ce0ab8761ed2107c19

                    SHA256

                    bb4b1187f4a5a1cb9b48af821e718675d7907f732bbd5bea0fddd0ae09bbd407

                    SHA512

                    0bdce14fce572814219384ae3bc2f2bd6c2070e4ae2bf510c061ffc90cc2bf365a3d52a5aef158cb187d60f9699f4bc5e71f1af0da5705c83bebff9b38686a45

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\datareporting\glean\pending_pings\c354c2ca-eaed-4a1b-ab24-d207fec93642
                    Filesize

                    671B

                    MD5

                    388bcb5a451f6569f689b195578b7559

                    SHA1

                    75216243ae219b02b701018effd156cf77f9db01

                    SHA256

                    14d7afbbea47a9d4f1f5d0123514209b33c89f3df15eeff0980e6ab558e04e10

                    SHA512

                    f6437739b9b3820cfcb383f7e81f48ef9aa6357fb84498502e82625c9821d9e7c88d1d5492f9606193c42aa20074e6c2002fe3df2b7a5bb28ac94d0f76c86083

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs-1.js
                    Filesize

                    9KB

                    MD5

                    a4d95f8b5055cde53ce80b7bd30a4956

                    SHA1

                    9994642994749b065b0bae9d83ee9377f49caea8

                    SHA256

                    1e959d72fe7ca7eee52857cf8ab537bad4e3ac2a5dc551f1a184b1fffd798c1c

                    SHA512

                    e625ceb949c752c2508c42b2aead4c3e939c7ff08172312cac400e36337a6e00b2e48af4bcda3af861430661c44bd4291f0737298646a10f80c0e26e1aff8f9a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
                    Filesize

                    9KB

                    MD5

                    e065d30fd013ae7cb69f51e0eebead88

                    SHA1

                    cc071252fb079a19db26567bd440f2a649dcaf48

                    SHA256

                    f1693b823bcc19851c190157c3ec244cc1574a58a908924e3522e0b8e8ece8e0

                    SHA512

                    df81f0d8d551890f05cab94db7da646fb908b3b02ec2a59ceb3d7e90571101afefd370da4b0df66e35fc004df2f985fa77f34dfa6d568b8b41d173ab2aaee8e8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4pbd8fyu.default-release\prefs.js
                    Filesize

                    9KB

                    MD5

                    4219177bb1b39dc6b9f1f3b96f2d045d

                    SHA1

                    6a0e8862f091a6358e3eda7ceca91e78beda9cb9

                    SHA256

                    c6cf7bcb7f153f818824c34e311cb90d8a2c7e08c88cff3c2dfec2c89c49807b

                    SHA512

                    285d3f5bb1d826fc8c3a792d8d135b925a0d33b7d90b138a1e970be31444daafec1e601dc09e4fe0534f2fe7b5ef9abeb67385947d290ea4e96de46f9354aad8

                    Download Submit

                  • C:\Users\Admin\Downloads\sAX2VelI.skn.part
                    Filesize

                    49KB

                    MD5

                    7eb5480a8e3d41286271a59bc5bcf680

                    SHA1

                    8444a29d53766cc24afbbc0b57fdaee2732d6dee

                    SHA256

                    7dc694d2c868db731b196f4379e8dcd47b007f2a693b0ac2467133418360d6e3

                    SHA512

                    65f3d51e6923173446812c2b64aa2eaef931a88e8af99a120d7e8d59b9709b1e2bed0f9d47c7f450e1039d14bfa52edcf7eba426ff68ad144ee35d8a6f8b7943

                    Download Submit