Overview

overview

10

Static

static

10

DarkComet-...er.zip

windows10-2004-x64

1

Resubmissions

27/02/2025, 10:31

250227-mkxjsavpz5 10

27/02/2025, 10:25

250227-mf9csavn19 10

Analysis

  • max time kernel
    78s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DarkComet-RAT-5.3.1-master.zip

  • Size

    14.6MB

  • MD5

    abef83a4ead4d18c354f98d7e72312f1

  • SHA1

    21e1ce0fa9013534af2a27c6d8fd0798e1028128

  • SHA256

    86ffdda11652f7e00c5fc21eb9f2e97cad4453b5e467501bb1207d3ebb7781ea

  • SHA512

    9145e554f98f8dc66435bd468b6cc064f1f1ea73aafabbb61ec9ed1cb4d6744f22e01f69ac3ed2fd2a3a0c4bb2a50ef658c1d9564f1eaee1848c7f5392742010

  • SSDEEP

    393216:JuSX8qh5hu/OYnJ8jEMA/DTdfsuc1RzGCxi:JdX8qh5oVnJ8j/wDTdEKCxi

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\DarkComet-RAT-5.3.1-master.zip
    1⤵
      PID:1536
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3264
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1084
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 27352 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e7b7907-0187-4a2d-b52f-c5ac9d855d5c} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" gpu
            3⤵
              PID:4260
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 27230 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9339cc29-8d8c-476c-b581-fdb8c256146c} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" socket
              3⤵
              • Checks processor information in registry
              PID:544
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 3280 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04449e17-ab26-426f-a8a7-d1ca6a69c7d4} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" tab
              3⤵
                PID:3228
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -childID 2 -isForBrowser -prefsHandle 4184 -prefMapHandle 4244 -prefsLen 32604 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5a6494b-0462-4366-b29e-8bb33085bf6a} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" tab
                3⤵
                  PID:2856
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4804 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 32604 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd21543-d435-4bff-b44f-e2ec05278bc0} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" utility
                  3⤵
                  • Checks processor information in registry
                  PID:3604
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5152 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 4756 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bf36721-7f68-49f3-ad22-aa978cc973cb} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" tab
                  3⤵
                    PID:1392
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5368 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {287fface-5a04-4172-9ae8-31d48f205aa9} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" tab
                    3⤵
                      PID:5240
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5116 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f69dbbf8-fea6-431b-81be-851d24b47e26} 1404 "\\.\pipe\gecko-crash-server-pipe.1404" tab
                      3⤵
                        PID:1612

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    2788fffab7f76e6819c14bd4c30762e7

                    SHA1

                    ba2ab3eb3c011bd3e5d030c5d82f7bb2f59bc207

                    SHA256

                    bba713d4adc0928ead53872ba86fa5d008d5ced1fe9d68aab7cfc96d3d0d9851

                    SHA512

                    baeaaa77bf0fc475a2680f5707fdd171498004cd4b6a562ad7b134ec3ada7f177716929b0e1f2d69b96740fb1bd150a783665d120b4ce9327a9e36af70763c11

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    6b6054fd516263badacc1f222dfe3977

                    SHA1

                    cddddc727211e9210e8906e3804446a7e7f31fef

                    SHA256

                    41de566a5b94f4d6a171a878ebc5f6f81c141ead84cbb9ea4e5f3e4ab8426dd0

                    SHA512

                    21d90588ea6ae8aa49cf47c6d308b1204e7b46f39d9a3fadf14d62d820737773c79dbbe9fd67333b7e5a4a4745340aeab4af89d5187613bfb11b5f6e4a08dedd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    b7dedfc931972f9c0f5e1d485dc0060b

                    SHA1

                    1d31d5c36fba5f4fd691e55b5400435976394d94

                    SHA256

                    bf26e07bcfe39d6a46a0656d326a30d91b0945753838b20d8709c81e39e03d73

                    SHA512

                    1be0a2c24a68e6dffb0a397cb18f212bf785f00849d443e8a6798c3f8fa1e2e605beb4ef02ef2b0563383fce3fe12cdcaeb5f5b357c02a84df7fecac0698efc3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    e8e0495768a7b34034cd92a32b184b96

                    SHA1

                    7114e8ed20b76e4457b2d348a2da517de86dc4b0

                    SHA256

                    086505d9f27dbfe22bb819614e4c35cf2a8c76f4257c33a9081f895b343dd509

                    SHA512

                    e5a1f645f550f0d6ebcf6ba8fa646a09a122a59ad94d1bca6ec5125f3fffb841533585718d9407967f2398c221d6330925cfd5d26c1bc47d4277190ef021fc86

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\57334b79-f514-4f43-bf7f-cdd47f1f0a0b
                    Filesize

                    28KB

                    MD5

                    400beb2e1310027a43b80b9f0d33e174

                    SHA1

                    bab161a41c0d9e4da2046db1b9a924ba8a28277b

                    SHA256

                    9671f38bde978081de79c41732cefa37ffbccd20dee1cfb86b5967afa4449f06

                    SHA512

                    cfbef21460418786ca2d3fcc00721e9452c073c16dd2905a8ca1e96a6aec89b3c94fa64411fb564c167791f475d1cd1bf7aa799ae284fb1f878265152b19b339

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\701cc892-d864-47e3-b51e-784950252ab8
                    Filesize

                    10KB

                    MD5

                    4a33d25f781a3b7099e436e035d9890f

                    SHA1

                    9e0fd397d4cd8b1f33ddbef51ebeeaec2b49ec56

                    SHA256

                    3b9b1cacb83cc7afebd82e59d44fda9959e00d758f05ea0426e8e3ffdcb27b1c

                    SHA512

                    2c84010f68557001ee6584adf17ec832a5bcd1efc3e4304ec9a40bce17476f4bfa2ca58d50da08e36455c6e2f6ed65136baa38680858568ba8cda53b39d426d9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\78a788ea-f2cc-4f94-a9e8-4a5efa96d837
                    Filesize

                    671B

                    MD5

                    a3c61d3f28015a0aa3e87055ae27ec88

                    SHA1

                    26ad56ec69a7980f930d56d26239d871e4cb7b2b

                    SHA256

                    21fd13ffe24ecf6a26a52e2b80b4841c96b7c693f4518fa6c2218627e0e94bbe

                    SHA512

                    9f791458ea1d809fe3d4ebf2c743aabbba2481c20df74cdd123d1f8fd56220fba4b404f6f921871a877670e0aeec00d2e6b178fa86b201d53ad4ca41cce6be4a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\datareporting\glean\pending_pings\f113e1a4-40be-48d1-9489-944d64c80c30
                    Filesize

                    982B

                    MD5

                    bef1f497a1a6e7193bb3332e1a3d2bef

                    SHA1

                    522225a87fba2279d6cad99e108a28e2a37d3247

                    SHA256

                    229f6f4c64184b52d2e3f4a87530bd0eb17d91bed71cf13494158bd6e94ae354

                    SHA512

                    24c511cbe99c289ac2319fedabc43fcef9402e647e59fc10d8ef3b4ede5697738503553761dce3a661f80aed5c95e3fbb162cdbe4cc1d91c4be56ae52d4c0b5f

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs-1.js
                    Filesize

                    9KB

                    MD5

                    fe4bcfb0ee262dfe988ba0677ae8621e

                    SHA1

                    64aceffed13a2387ee40c6114161c3fd3e4dda41

                    SHA256

                    60325e4c598a564fbd2c5fd787bb9f4d945dd1cb3ecdbd0504365013ebcf4deb

                    SHA512

                    e7d5b59fa0b0aef41232ef02ecc72e7c197b601f7f4931fd42cfb8b37d5d15882d13be20b589f6af962ac603db512b9b9fd35ebac6da9b06f33498b8fe5d87fe

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js
                    Filesize

                    9KB

                    MD5

                    5d1a4edb8b7a42c36b27afe279bb3a59

                    SHA1

                    f5a4847edb11090a64aa3a32e2a5418f76a4b003

                    SHA256

                    b03af360505f649aee19c0e98f20fa10e55dc2e1f4995796f4187fccc4e2155c

                    SHA512

                    79b5ebbd4dde83dc2e2da37b70c9eeb35cd62d72bb4f7fbcf4ca416f4afe2543047d5ede2fde06829e5046961fe1faa124bbfeb4f710fee0bbefd71978d1287a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\prefs.js
                    Filesize

                    9KB

                    MD5

                    f5861cdb13ceb92f23c1665c4cdf7521

                    SHA1

                    8b6fb9cf250f4b4d587bee349762d0d5a29673b8

                    SHA256

                    1113f57fa9598ec63b78f81ba091d16df91b7c52ca05a0679844dd9e391039df

                    SHA512

                    5733918f29e8dedae8ea22434170470e6d38e796dc9cb808b642dc52f59bd136934105d37c190fe8aef872abc0089cc04428280a5b7036952ec7732352e294d0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lxy3zzzm.default-release\sessionCheckpoints.json
                    Filesize

                    228B

                    MD5

                    a0821bc1a142e3b5bca852e1090c9f2c

                    SHA1

                    e51beb8731e990129d965ddb60530d198c73825f

                    SHA256

                    db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

                    SHA512

                    997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

                    Download Submit