Edit tour

Windows Analysis Report
_____.exe

Overview

General Information

Sample name:	_____.exe
Analysis ID:	1580627
MD5:	b620f1561ef43fdc7132375a63dd3e8d
SHA1:	097594e519e510a5e7b69e2f8d367cc97c01c7e6
SHA256:	424e8d889288010e58a66fa8c9008c22cef78dced0e46b59ee417cc9e746c23f
Tags:	exeuser-zhuzhu0009
Infos:

Detection

DarkComet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected DarkComet

AI detected suspicious sample

Installs a global keyboard hook

Machine Learning detection for sample

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Enables driver privileges

Enables security privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

_____.exe (PID: 6156 cmdline: "C:\Users\user\Desktop\_____.exe" MD5: B620F1561EF43FDC7132375A63DD3E8D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkComet	DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.	APT33 Lazarus Group Operation C-Major	http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/ https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet

Malware Configuration

Threatname: DarkComet

{"MUTEX": "DC_MUTEX-5VE3E85", "SID": "Guest16", "FWB": "0", "NETDATA": ["king-hit.gl.at.ply.gg:25737"], "GENCODE": "rcJPlzKijYD9", "OFFLINEK": "1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
_____.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
_____.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
_____.exe	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
_____.exe	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x82dbc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7d72d:$a2: is now open!\| 0x7d088:$a3: ActiveOnlineKeylogger 0x7d78c:$a4: #BOT#RunPrompt 0x7c834:$a5: GETMONITORS
_____.exe	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
_____.exe	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d6c8:$bot1: #BOT#OpenUrl 0x7d744:$bot2: #BOT#Ping 0x7d78c:$bot3: #BOT#RunPrompt 0x7d84c:$bot4: #BOT#SvrUninstall 0x7d994:$bot5: #BOT#URLDownload 0x7d8ac:$bot6: #BOT#URLUpdate 0x7d6b0:$bot7: #BOT#VisitUrl 0x7d7f0:$bot8: #BOT#CloseServer 0x7da38:$ddos1: DDOSHTTPFLOOD 0x7da50:$ddos2: DDOSSYNFLOOD 0x7da68:$ddos3: DDOSUDPFLOOD 0x7d088:$keylogger1: ActiveOnlineKeylogger 0x7d0aa:$keylogger1: ActiveOnlineKeylogger 0x7d0a8:$keylogger2: UnActiveOnlineKeylogger 0x7d104:$keylogger3: ActiveOfflineKeylogger 0x7d126:$keylogger3: ActiveOfflineKeylogger 0x7d124:$keylogger4: UnActiveOfflineKeylogger 0x7dd30:$shell1: ACTIVEREMOTESHELL 0x7dd5c:$shell2: SUBMREMOTESHELL 0x7dd74:$shell3: KILLREMOTESHELL
_____.exe	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
_____.exe	DarkComet_4	unknown	unknown	0x7d6b0:$a1: #BOT# 0x7d6c8:$a1: #BOT# 0x7d744:$a1: #BOT# 0x7d78c:$a1: #BOT# 0x7d7f0:$a1: #BOT# 0x7d84c:$a1: #BOT# 0x7d8ac:$a1: #BOT# 0x7d994:$a1: #BOT# 0x7ddcc:$a2: WEBCAMSTOP 0x7d168:$a3: UnActiveOnlineKeyStrokes 0x7d618:$a4: #SendTaskMgr 0x7dabc:$a5: #RemoteScreenSize 0x7c910:$a6: ping 127.0.0.1 -n 4 > NUL &&
_____.exe	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2b34c:$s1: %s, ClassID: %s 0x2b618:$s2: %s, ProgID: "%s" 0x6c5c0:$s3: #KCMDDC51# 0x7d6b0:$s4: #BOT#VisitUrl 0x7d6c8:$s5: #BOT#OpenUrl 0x7d744:$s6: #BOT#Ping 0x7d78c:$s7: #BOT#RunPrompt 0x7d7f0:$s8: #BOT#CloseServer 0x7d84c:$s9: #BOT#SvrUninstall 0x7d8ac:$s10: #BOT#URLUpdate 0x7d994:$s11: #BOT#URLDownload 0x7d710:$s12: BTRESULTOpen 0x7d758:$s12: BTRESULTPing\|Respond 0x7d7a4:$s12: BTRESULTRun 0x7d80c:$s12: BTRESULTClose 0x7d868:$s12: BTRESULTUninstall\|uninstall 0x7d934:$s12: BTRESULTUpdate 0x81884:$s12: BTRESULTUDP 0x81d28:$s12: BTRESULTSyn 0x82a54:$s12: BTRESULTVisit 0x82dbc:$s12: BTRESULTHTTP
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2031400989.000000000049D000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x908:$c: DC_MUTEX- 0x9a8:$k2: #KCMDDC51#-890
00000000.00000002.3278626802.0000000002330000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xe08:$a: #BEGIN DARKCOMET DATA -- 0xf88:$a: #BEGIN DARKCOMET DATA -- 0xea1:$b: #EOF DARKCOMET DATA -- 0xe29:$c: DC_MUTEX- 0xfa9:$c: DC_MUTEX-
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x829bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7d32d:$a2: is now open!\| 0x7cc88:$a3: ActiveOnlineKeylogger 0x7d38c:$a4: #BOT#RunPrompt 0x7c434:$a5: GETMONITORS
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d4ac:$a1: #BOT#URLUpdate 0x7d3c5:$a2: Command successfully executed! 0x408:$b1: FastMM Borland Edition 0x2af4c:$b2: %s, ClassID: %s 0x71e28:$b3: I wasn't able to open the hosts file 0x7d2b0:$b4: #BOT#VisitUrl 0x6c1c0:$b5: #KCMDDC
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d2c8:$bot1: #BOT#OpenUrl 0x7d344:$bot2: #BOT#Ping 0x7d38c:$bot3: #BOT#RunPrompt 0x7d44c:$bot4: #BOT#SvrUninstall 0x7d594:$bot5: #BOT#URLDownload 0x7d4ac:$bot6: #BOT#URLUpdate 0x7d2b0:$bot7: #BOT#VisitUrl 0x7d3f0:$bot8: #BOT#CloseServer 0x7d638:$ddos1: DDOSHTTPFLOOD 0x7d650:$ddos2: DDOSSYNFLOOD 0x7d668:$ddos3: DDOSUDPFLOOD 0x7cc88:$keylogger1: ActiveOnlineKeylogger 0x7ccaa:$keylogger1: ActiveOnlineKeylogger 0x7cca8:$keylogger2: UnActiveOnlineKeylogger 0x7cd04:$keylogger3: ActiveOfflineKeylogger 0x7cd26:$keylogger3: ActiveOfflineKeylogger 0x7cd24:$keylogger4: UnActiveOfflineKeylogger 0x7d930:$shell1: ACTIVEREMOTESHELL 0x7d95c:$shell2: SUBMREMOTESHELL 0x7d974:$shell3: KILLREMOTESHELL
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d4ac:$a1: #BOT#URLUpdate 0x7d3c5:$a2: Command successfully executed! 0x408:$b1: FastMM Borland Edition 0x2af4c:$b2: %s, ClassID: %s 0x71e28:$b3: I wasn't able to open the hosts file 0x7d2b0:$b4: #BOT#VisitUrl 0x6c1c0:$b5: #KCMDDC
00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp	DarkComet_4	unknown	unknown	0x7d2b0:$a1: #BOT# 0x7d2c8:$a1: #BOT# 0x7d344:$a1: #BOT# 0x7d38c:$a1: #BOT# 0x7d3f0:$a1: #BOT# 0x7d44c:$a1: #BOT# 0x7d4ac:$a1: #BOT# 0x7d594:$a1: #BOT# 0x7d9cc:$a2: WEBCAMSTOP 0x7cd68:$a3: UnActiveOnlineKeyStrokes 0x7d218:$a4: #SendTaskMgr 0x7d6bc:$a5: #RemoteScreenSize 0x7c510:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: _____.exe PID: 6156	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: _____.exe PID: 6156	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: _____.exe PID: 6156	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x21473:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x20805:$a2: is now open!\| 0x203ae:$a3: ActiveOnlineKeylogger 0x2087d:$a4: #BOT#RunPrompt 0x1ff4c:$a5: GETMONITORS
Process Memory Space: _____.exe PID: 6156	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x209eb:$a1: #BOT#URLUpdate 0x208a2:$a2: Command successfully executed! 0x208c4:$a2: Command successfully executed! 0x17296:$b1: FastMM Borland Edition 0x172af:$b1: FastMM Borland Edition 0x19843:$b2: %s, ClassID: %s 0x19853:$b2: %s, ClassID: %s 0x1f62a:$b3: I wasn't able to open the hosts file 0x1f682:$b3: I wasn't able to open the hosts file 0x207c6:$b4: #BOT#VisitUrl 0x1ec90:$b5: #KCMDDC 0x22938:$b5: #KCMDDC 0x22947:$b5: #KCMDDC
Process Memory Space: _____.exe PID: 6156	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x207d5:$bot1: #BOT#OpenUrl 0x20813:$bot2: #BOT#Ping 0x2081e:$bot2: #BOT#Ping 0x2087d:$bot3: #BOT#RunPrompt 0x20966:$bot4: #BOT#SvrUninstall 0x20b56:$bot5: #BOT#URLDownload 0x209eb:$bot6: #BOT#URLUpdate 0x207c6:$bot7: #BOT#VisitUrl 0x208e4:$bot8: #BOT#CloseServer 0x20bab:$ddos1: DDOSHTTPFLOOD 0x20bba:$ddos2: DDOSSYNFLOOD 0x20bc7:$ddos3: DDOSUDPFLOOD 0x203ae:$keylogger1: ActiveOnlineKeylogger 0x203c6:$keylogger1: ActiveOnlineKeylogger 0x203c4:$keylogger2: UnActiveOnlineKeylogger 0x203fc:$keylogger3: ActiveOfflineKeylogger 0x20415:$keylogger3: ActiveOfflineKeylogger 0x20413:$keylogger4: UnActiveOfflineKeylogger 0x20d59:$shell1: ACTIVEREMOTESHELL 0x20d72:$shell2: SUBMREMOTESHELL 0x20d82:$shell3: KILLREMOTESHELL
Process Memory Space: _____.exe PID: 6156	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x22555:$a: #BEGIN DARKCOMET DATA -- 0x225ee:$b: #EOF DARKCOMET DATA -- 0x22576:$c: DC_MUTEX- 0x228db:$c: DC_MUTEX- 0x228ec:$c: DC_MUTEX- 0x22938:$k2: #KCMDDC51#-890 0x22947:$k2: #KCMDDC51#-890
Process Memory Space: _____.exe PID: 6156	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x209eb:$a1: #BOT#URLUpdate 0x208a2:$a2: Command successfully executed! 0x208c4:$a2: Command successfully executed! 0x17296:$b1: FastMM Borland Edition 0x172af:$b1: FastMM Borland Edition 0x19843:$b2: %s, ClassID: %s 0x19853:$b2: %s, ClassID: %s 0x1f62a:$b3: I wasn't able to open the hosts file 0x1f682:$b3: I wasn't able to open the hosts file 0x207c6:$b4: #BOT#VisitUrl 0x1ec90:$b5: #KCMDDC 0x22938:$b5: #KCMDDC 0x22947:$b5: #KCMDDC
Process Memory Space: _____.exe PID: 6156	DarkComet_4	unknown	unknown	0x207c6:$a1: #BOT# 0x207d5:$a1: #BOT# 0x20813:$a1: #BOT# 0x2081e:$a1: #BOT# 0x2087d:$a1: #BOT# 0x208e4:$a1: #BOT# 0x20966:$a1: #BOT# 0x209eb:$a1: #BOT# 0x20b56:$a1: #BOT# 0x20db9:$a2: WEBCAMSTOP 0x20443:$a3: UnActiveOnlineKeyStrokes 0x2075d:$a4: #SendTaskMgr 0x20772:$a4: #SendTaskMgr 0x20bf7:$a5: #RemoteScreenSize 0x1ffb7:$a6: ping 127.0.0.1 -n 4 > NUL &&
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0._____.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.0._____.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.0._____.exe.400000.0.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
0.0._____.exe.400000.0.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x82dbc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7d72d:$a2: is now open!\| 0x7d088:$a3: ActiveOnlineKeylogger 0x7d78c:$a4: #BOT#RunPrompt 0x7c834:$a5: GETMONITORS
0.0._____.exe.400000.0.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
0.0._____.exe.400000.0.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d6c8:$bot1: #BOT#OpenUrl 0x7d744:$bot2: #BOT#Ping 0x7d78c:$bot3: #BOT#RunPrompt 0x7d84c:$bot4: #BOT#SvrUninstall 0x7d994:$bot5: #BOT#URLDownload 0x7d8ac:$bot6: #BOT#URLUpdate 0x7d6b0:$bot7: #BOT#VisitUrl 0x7d7f0:$bot8: #BOT#CloseServer 0x7da38:$ddos1: DDOSHTTPFLOOD 0x7da50:$ddos2: DDOSSYNFLOOD 0x7da68:$ddos3: DDOSUDPFLOOD 0x7d088:$keylogger1: ActiveOnlineKeylogger 0x7d0aa:$keylogger1: ActiveOnlineKeylogger 0x7d0a8:$keylogger2: UnActiveOnlineKeylogger 0x7d104:$keylogger3: ActiveOfflineKeylogger 0x7d126:$keylogger3: ActiveOfflineKeylogger 0x7d124:$keylogger4: UnActiveOfflineKeylogger 0x7dd30:$shell1: ACTIVEREMOTESHELL 0x7dd5c:$shell2: SUBMREMOTESHELL 0x7dd74:$shell3: KILLREMOTESHELL
0.0._____.exe.400000.0.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
0.0._____.exe.400000.0.unpack	DarkComet_4	unknown	unknown	0x7d6b0:$a1: #BOT# 0x7d6c8:$a1: #BOT# 0x7d744:$a1: #BOT# 0x7d78c:$a1: #BOT# 0x7d7f0:$a1: #BOT# 0x7d84c:$a1: #BOT# 0x7d8ac:$a1: #BOT# 0x7d994:$a1: #BOT# 0x7ddcc:$a2: WEBCAMSTOP 0x7d168:$a3: UnActiveOnlineKeyStrokes 0x7d618:$a4: #SendTaskMgr 0x7dabc:$a5: #RemoteScreenSize 0x7c910:$a6: ping 127.0.0.1 -n 4 > NUL &&
0.0._____.exe.400000.0.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2b34c:$s1: %s, ClassID: %s 0x2b618:$s2: %s, ProgID: "%s" 0x6c5c0:$s3: #KCMDDC51# 0x7d6b0:$s4: #BOT#VisitUrl 0x7d6c8:$s5: #BOT#OpenUrl 0x7d744:$s6: #BOT#Ping 0x7d78c:$s7: #BOT#RunPrompt 0x7d7f0:$s8: #BOT#CloseServer 0x7d84c:$s9: #BOT#SvrUninstall 0x7d8ac:$s10: #BOT#URLUpdate 0x7d994:$s11: #BOT#URLDownload 0x7d710:$s12: BTRESULTOpen 0x7d758:$s12: BTRESULTPing\|Respond 0x7d7a4:$s12: BTRESULTRun 0x7d80c:$s12: BTRESULTClose 0x7d868:$s12: BTRESULTUninstall\|uninstall 0x7d934:$s12: BTRESULTUpdate 0x81884:$s12: BTRESULTUDP 0x81d28:$s12: BTRESULTSyn 0x82a54:$s12: BTRESULTVisit 0x82dbc:$s12: BTRESULTHTTP
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: _____.exe

Avira: detected

Found malware configuration

Source: _____.exe

Malware Configuration Extractor: DarkComet {"MUTEX": "DC_MUTEX-5VE3E85", "SID": "Guest16", "FWB": "0", "NETDATA": ["king-hit.gl.at.ply.gg:25737"], "GENCODE": "rcJPlzKijYD9", "OFFLINEK": "1"}

Multi AV Scanner detection for submitted file

Source: _____.exe

Virustotal: Detection: 93%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: _____.exe

Joe Sandbox ML: detected

Source: _____.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.185.221.23:25737

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: king-hit.gl.at.ply.gg

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\_____.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\_____.exe

Jump to behavior

Source: Yara match	File source: _____.exe, type: SAMPLE
Source: Yara match	File source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2031400989.000000000049D000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: _____.exe, type: SAMPLE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: _____.exe, type: SAMPLE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet_4 Author: unknown
Source: _____.exe, type: SAMPLE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000002.3278626802.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown

Yara detected DarkComet

Source: Yara match	File source: _____.exe, type: SAMPLE
Source: Yara match	File source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR

Source: C:\Users\user\Desktop\_____.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\_____.exe

Process token adjusted: Security

Jump to behavior

Source: _____.exe, 00000000.00000000.2031442843.00000000004A4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs _____.exe
Source: _____.exe	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs _____.exe

Source: _____.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: _____.exe, type: SAMPLE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: _____.exe, type: SAMPLE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: _____.exe, type: SAMPLE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: _____.exe, type: SAMPLE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000000.00000002.3278626802.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: _____.exe PID: 6156, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara

Source: classification engine

Classification label: mal92.troj.spyw.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\_____.exe

File created: C:\Users\user\AppData\Roaming\dclogs

Jump to behavior

Source: C:\Users\user\Desktop\_____.exe

Mutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-5VE3E85

Source: Yara match	File source: _____.exe, type: SAMPLE
Source: Yara match	File source: 0.0._____.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\_____.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\_____.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\_____.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: _____.exe

Virustotal: Detection: 93%

Source: C:\Users\user\Desktop\_____.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\_____.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\_____.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFD3A6 push eax; retn 0057h	0_2_02AFD3B5
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFD3BC push eax; retn 0057h	0_2_02AFD3BD
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFCFB8 pushad ; iretd	0_2_02AFCFC9
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFE314 push eax; retn 0057h	0_2_02AFE315
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFD2E0 push eax; retn 0057h	0_2_02AFD2E1
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFD3CC push eax; retn 0057h	0_2_02AFD3CD
Source: C:\Users\user\Desktop\_____.exe	Code function: 0_2_02AFD2D8 push eax; retn 0057h	0_2_02AFD2D9

Source: _____.exe, 00000000.00000002.3278527921.000000000053E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: _____.exe, 00000000.00000002.3278527921.000000000053E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\_____.exe

Process token adjusted: Debug

Jump to behavior

Source: _____.exe	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: _____.exe, 00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: _____.exe	Binary or memory string: Shell_TrayWnd
Source: _____.exe	Binary or memory string: Progman
Source: _____.exe	Binary or memory string: Shell_TrayWndjjh
Source: _____.exe	Binary or memory string: Progmanjhh
Source: _____.exe	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: _____.exe	Binary or memory string: ProgmanU
Source: _____.exe, 00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: _____.exe	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: _____.exe	Binary or memory string: ButtonShell_TrayWndj
Source: _____.exe	Binary or memory string: Shell_traywndReBarWindow32jh
Source: _____.exe	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: _____.exe	Binary or memory string: Shell_traywnd
Source: _____.exe	Binary or memory string: Shell_TrayWndPjjh

Source: C:\Users\user\Desktop\_____.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 LSASS Driver	1 Process Injection	1 Masquerading	11 Input Capture	1 Security Software Discovery	Remote Services	11 Input Capture	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 LSASS Driver	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
_____.exe	93%	Virustotal		Browse
_____.exe	100%	Avira	BDS/DarkKomet.GS
_____.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
king-hit.gl.at.ply.gg	147.185.221.23	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	king-hit.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580627
Start date and time:	2024-12-25 13:14:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	_____.exe
Detection:	MAL
Classification:	mal92.troj.spyw.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target _____.exe, PID 6156 because there are no executed function
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	WO.exe	Get hash	malicious	Metasploit	Browse
	reddit.exe	Get hash	malicious	Metasploit	Browse
	dr2YKJiGH9.exe	Get hash	malicious	XWorm	Browse
	jSm8N1jXbk.exe	Get hash	malicious	S400 RAT	Browse
	enigma_loader.exe	Get hash	malicious	XWorm	Browse
	exe006.exe	Get hash	malicious	SheetRat	Browse
	yF21ypxRB7.exe	Get hash	malicious	XWorm	Browse
	9GlCWW6bXc.exe	Get hash	malicious	XWorm	Browse
	fiPZoO6xvJ.exe	Get hash	malicious	XWorm	Browse
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	test.exe	Get hash	malicious	DarkComet	Browse	147.185.221.24
	L363rVr7oL.exe	Get hash	malicious	Njrat	Browse	147.185.221.24
	WO.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	reddit.exe	Get hash	malicious	Metasploit	Browse	147.185.221.23
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	147.176.119.110
	horrify's Modx Menu v1.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	twE44mm07j.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	YgJ5inWPQO.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.18

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.616970366410712
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	_____.exe
File size:	673'792 bytes
MD5:	b620f1561ef43fdc7132375a63dd3e8d
SHA1:	097594e519e510a5e7b69e2f8d367cc97c01c7e6
SHA256:	424e8d889288010e58a66fa8c9008c22cef78dced0e46b59ee417cc9e746c23f
SHA512:	186e292d6b142660930f93522ab37f70b3aefd3d8c594141de2912ddba4208b390d4e69da3478f8a470e546fc9cdeca3551971affb96a855eb382d40c0f0401f
SSDEEP:	12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:uZ1xuVVjfFoynPaVBUR8f+kN10EBX
TLSH:	0EE48E31F1808837D97219789C5F92E6982A7E202E39754B3AE62F4C5F3D6C239193D7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48f888
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4FD0CFF9 [Thu Jun 7 15:59:53 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e5b4359a3773764a372173074ae9b6bd

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000030h
push 00000000h
push 00000000h
dec ecx
jne 00007F44E153E78Bh
push ecx
push ebx
push esi
push edi
mov eax, 0048E3E0h
call 00007F44E14B65C4h
xor eax, eax
push ebp
push 00490656h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000000h
call 00007F44E14BEEBFh
mov eax, dword ptr [004948B0h]
mov byte ptr [eax], 00000001h
call 00007F44E1539EB6h
mov dl, 01h
mov eax, dword ptr [0048DE80h]
call 00007F44E153CDAEh
mov dword ptr [0049C3E8h], eax
xor edx, edx
push ebp
push 0048FA09h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
lea ecx, dword ptr [ebp-14h]
mov edx, 00490670h
mov eax, dword ptr [0049C3E8h]
call 00007F44E153CDFDh
mov edx, dword ptr [ebp-14h]
mov eax, dword ptr [00494B38h]
call 00007F44E14B4414h
lea edx, dword ptr [ebp-20h]
xor eax, eax
call 00007F44E14BE0BAh
mov eax, dword ptr [ebp-20h]
lea edx, dword ptr [ebp-1Ch]
call 00007F44E14B941Bh
push dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-24h]
mov eax, 00490680h
call 00007F44E1522453h
push dword ptr [ebp-24h]
push 00490690h
lea eax, dword ptr [ebp-18h]
mov edx, 00000003h
call 00007F44E14B4736h
mov eax, dword ptr [ebp-18h]
call 00007F44E14B90BAh
test al, al
je 00007F44E153E838h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d000	0x4140	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xad000	0x4188	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0x8adc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa3000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9dca4	0x9e8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8d8f0	0x8da00	8067456c5dc713997e61924c501c8cb2	False	0.514571726059135	data	6.553417346138988	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x8f000	0x1954	0x1a00	3f63b5c2974302201afb8afa01b8ac10	False	0.5345552884615384	data	5.953748187744434	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x91000	0x3d3c	0x3e00	81fa247370ecc3476b5c17086c0f2024	False	0.42357610887096775	data	4.834870765212306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x95000	0x7404	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9d000	0x4140	0x4200	cd30ca2b6ff5111155dec94ee29ec186	False	0.3171756628787879	data	5.268136117677001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa2000	0x38	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa3000	0x18	0x200	c1788dfeb92bbf0cff5aeaeaf1270ff8	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0x8adc	0x8c00	e55564594dad16a2ca19fb85903b9300	False	0.6743024553571428	data	6.725005245595376	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xad000	0x4188	0x4200	f1e0ba01d3bce7333b73bde2aa0327fb	False	0.3484256628787879	data	4.233015672100186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xad6bc	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xad7f0	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xad924	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xada58	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xadb8c	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0xadcc0	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xaddf4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_STRING	0xadf28	0x20c	data			0.42366412213740456
RT_STRING	0xae134	0x3fc	data			0.4
RT_STRING	0xae530	0xa8	data			0.7202380952380952
RT_STRING	0xae5d8	0x140	data			0.584375
RT_STRING	0xae718	0x478	data			0.38636363636363635
RT_STRING	0xaeb90	0x330	data			0.41421568627450983
RT_STRING	0xaeec0	0x36c	data			0.3687214611872146
RT_STRING	0xaf22c	0x3f0	data			0.3898809523809524
RT_STRING	0xaf61c	0xcc	data			0.5392156862745098
RT_STRING	0xaf6e8	0xb0	data			0.6534090909090909
RT_STRING	0xaf798	0x2ac	data			0.4766081871345029
RT_STRING	0xafa44	0x3b8	data			0.32668067226890757
RT_STRING	0xafdfc	0x354	data			0.3884976525821596
RT_STRING	0xb0150	0x2f0	data			0.3829787234042553
RT_RCDATA	0xb0440	0x15e	ASCII text, with very long lines (350), with no line terminators			0.5914285714285714
RT_RCDATA	0xb05a0	0x10	data			1.5
RT_RCDATA	0xb05b0	0x7f4	data			0.6360510805500982
RT_GROUP_CURSOR	0xb0da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xb0db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xb0dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb0de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb0df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb0e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb0e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0xb0e30	0x358	data	French	France	0.42406542056074764

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, mouse_event, keybd_event, WindowFromPoint, WaitMessage, VkKeyScanA, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAscii, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LockWorkStation, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthA, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastInputInfo, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumDisplayDevicesA, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteProcessMemory, WriteFile, WinExec, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, VerLanguageNameA, UnmapViewOfFile, TerminateProcess, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetThreadContext, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadProcessMemory, ReadFile, PeekNamedPipe, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LocalFileTimeToFileTime, LocalAlloc, LoadResource, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, HeapFree, HeapAlloc, GlobalUnlock, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetThreadContext, GetTempPathA, GetSystemPowerStatus, GetSystemDirectoryA, GetStdHandle, GetProcessHeap, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, ExitProcess, EnumResourceNamesA, EnumCalendarInfoA, EnterCriticalSection, DosDateTimeToFileTime, DeleteFileA, DeleteCriticalSection, CreateThread, CreateRemoteThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle, Beep
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegOpenKeyA, RegFlushKey, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCreateKeyA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, LookupPrivilegeNameA, LookupPrivilegeDisplayNameA, LookupAccountSidA, IsValidSid, GetUserNameA, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, GetSidIdentifierAuthority, GetCurrentHwProfileA, AdjustTokenPrivileges
wsock32.dll	__WSAFDIsSet, WSACleanup, WSAStartup, WSAGetLastError, gethostname, getservbyname, gethostbyname, gethostbyaddr, socket, shutdown, sendto, send, select, recv, ntohs, listen, ioctlsocket, inet_ntoa, inet_addr, htons, getsockname, connect, closesocket, bind, accept
kernel32.dll	Sleep
ole32.dll	CoTaskMemFree, StringFromCLSID
shell32.dll	ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, SHFileOperationA, DragQueryFileA
oleaut32.dll	GetErrorInfo, GetActiveObject, SysFreeString
ole32.dll	CoTaskMemFree, CLSIDFromProgID, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
URLMON.DLL	URLDownloadToFileA
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
wininet.dll	InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetConnectA, InternetCloseHandle, HttpQueryInfoA, FtpPutFileA
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA
winmm.dll	waveInUnprepareHeader, waveInStart, waveInReset, waveInPrepareHeader, waveInOpen, waveInClose, waveInAddBuffer, PlaySoundA, mciSendStringA
netapi32.dll	Netbios
gdiplus.dll	GdipGetImageEncoders, GdipGetImageEncodersSize, GdipDrawImageRectI, GdipSetInterpolationMode, GdipDeleteGraphics, GdipCreateBitmapFromHBITMAP, GdipCreateBitmapFromScan0, GdipGetImagePixelFormat, GdipGetImageGraphicsContext, GdipSaveImageToStream, GdipDisposeImage, GdiplusShutdown, GdiplusStartup, GdipFree, GdipAlloc
advapi32.dll	StartServiceA, QueryServiceStatus, OpenServiceA, OpenSCManagerA, EnumServicesStatusA, DeleteService, CreateServiceA, ControlService, CloseServiceHandle
msacm32.dll	acmStreamUnprepareHeader, acmStreamPrepareHeader, acmStreamConvert, acmStreamReset, acmStreamSize, acmStreamClose, acmStreamOpen
ntdll.dll	NtQuerySystemInformation
netapi32.dll	NetApiBufferFree, NetShareGetInfo, NetShareEnum
WS2_32.DLL	WSAIoctl
SHFolder.dll	SHGetFolderPathA
ntdll	NtUnmapViewOfSection
user32.dll	EnumDisplayMonitors, GetMonitorInfoA
SHELL32.DLL	SHEmptyRecycleBinA
AVICAP32.DLL	capGetDriverDescriptionA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
French	France

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 13:14:58.571346045 CET	49704	25737	192.168.2.5	147.185.221.23
Dec 25, 2024 13:14:58.691056013 CET	25737	49704	147.185.221.23	192.168.2.5
Dec 25, 2024 13:14:58.691185951 CET	49704	25737	192.168.2.5	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 13:14:58.326690912 CET	62199	53	192.168.2.5	1.1.1.1
Dec 25, 2024 13:14:58.568438053 CET	53	62199	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 25, 2024 13:14:58.326690912 CET	192.168.2.5	1.1.1.1	0xbfae	Standard query (0)	king-hit.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 25, 2024 13:14:58.568438053 CET	1.1.1.1	192.168.2.5	0xbfae	No error (0)	king-hit.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:14:56
Start date:	25/12/2024
Path:	C:\Users\user\Desktop\_____.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\_____.exe"
Imagebase:	0x400000
File size:	673'792 bytes
MD5 hash:	B620F1561EF43FDC7132375A63DD3E8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2031400989.000000000049D000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: DarkComet_2, Description: DarkComet, Source: 00000000.00000002.3278626802.000000000238A000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000000.00000002.3278626802.0000000002330000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000000.00000000.2031337687.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report _____.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkComet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
_____.exe