DarkComet RAT

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Type
RAT
Origin
France
First seen
12 February, 2008
Last seen
26 January, 2023
Also known as
Breut
Fynloski
klovbot
Global rank
27
Week rank
21
Month rank
23
IOCs
6663

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

IOCs

IP addresses
185.183.98.166
70.70.19.220
212.220.202.104
87.66.106.20
79.134.225.30
3.134.196.116
134.209.47.156
78.173.184.33
170.178.190.213
184.75.223.227
5.129.36.73
194.40.243.243
80.241.222.33
78.173.157.210
139.180.171.110
37.1.218.71
78.173.187.50
89.46.100.217
146.19.75.151
68.183.77.204
Hashes
2849b907d73d2bcd47b92cb6abab537613b974fde9b9d6ef9a00318ebcd7a082
448f48222cc03ccc5f52c5dabb436a80ad0d586397ffa77007fff1fda5553f92
908404e0ad6185c39c638e99edd820e4406acb1a82dff8e267fc79c0b8cb5ed3
dc42d4df960208b9ba76578143f872e5619becf601020797c7b5171123796f92
d195a46d8e4d00898c59dc1ca36b0563952a22308ad8f782b668da1da12385b6
91952f9d1163ab2566a0cf0e336e75708d5a76486ffffe5f000d540bb3584b41
d1c0890a6f18ae0c27ebe66851fbfb016953a4b400e7f8395b03fc4115307114
03f2ed035507dd247c59f711385ad5fde2921dd3c8d3dfd102906e760608a91e
9e8782313577e1d7bcf54991252b0eea6aed4a603ee71a9d12c2077bcfca6167
ff1b307e97642afd09aafcc78c44d4606080c9ac545b62936c18bde85733c9fd
a17703fdf5d1f8231f3d8954aa82fe99ed8db872702b2bfbe69c970b634f570e
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
7ae5f1220261f4b4e19e3703d6c57f058b7e2e83d0b9a8d4388bdbd9746fb372
069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834
4a9c0231a34465924266db441a25a9454e27332c36224267841c88f1aaab39dc
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
1f662de30be77c5188e4673d50905209fca70b015c087d22d44f78f0b834ab2e
aef28d0fe52e5c9ee483f9cbbe89631aaa9edededabf8b1f3d8c11f4bfc7a256
6ae609750ccf73047575a55b847bc185772817d547d7c810ad9b61b77970a685
def7264e4de5bb2ec6c360d7fdbbf4bc942d3373d240e83af01ed67254240f08
Domains
graphql.usercentrics.eu
data.pendo.io
isns.net
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
mkt.denodo.com
www.formpl.us
searchkn1.sima-land.ru
2.tcp.eu.ngrok.io
ealerts.citrix.com
c16d-35-240-187-111.ngrok.io
static.leadpages.net
todspm3.duckdns.org
frederikkempe.com
majul.com
tracking.reactful.com
visitor.reactful.com
4.tcp.eu.ngrok.io
stats2.agilecrm.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy