BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
28
Global rank
29
Month rank
28
Week rank
694
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
2 December, 2023
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
2 December, 2023
Last seen

IOCs

IP addresses
193.161.193.99
45.74.4.244
78.163.16.186
193.149.180.137
176.108.108.71
75.4.61.28
223.244.83.13
140.82.13.202
46.2.15.197
151.236.21.83
185.60.133.214
80.85.154.180
80.85.156.184
40.76.20.9
88.169.146.156
79.143.38.55
78.190.191.194
45.32.255.220
109.61.248.34
37.1.217.131
Hashes
bd7ead32cd8194fca366684e80891a3a56c377a36b06ae70eb69306a4c064151
5cf851dac32cd09b921fcb8dab67c94044939781282d19eb528b3eaada997924
e09096f1ea1f0885e9b73ba36ddbe1bb9780a9ca1a6664893284cb3437b59ccd
3a706b3159685d364796d91de6b588cea5308c42ea11165ac756da94f38f193d
efc16badfed62af396c803d83531a53c7e1b23ef998e6071a3832bd07e0df8b6
6914aa0df89514e9f9e307c79eb8abf6f79889f75a3096cc360f20a38e6738a6
86b31eb11b25d53e296392d498109ac76bf4b6b3ccb7bce663772f38946b77ba
3e71a04694adfc0b1dbe3d541db7f8f70b25ce062662a40cf23816b2fa216934
a50087395dd4622da007b88d771b3bf94e8d071df73bb9ea7abed2e9441dc5f0
9e87c845989f7ebd6072d217b4994708481df83fe417b4c0cfcd7c59d5aa065a
908404e0ad6185c39c638e99edd820e4406acb1a82dff8e267fc79c0b8cb5ed3
d2e45337145ee16076009a64846c6173ce89815673eb2c49a6b74fbba00ef3b0
dc325481f618fba64b3d54c61d8a2eb6bc8734a52cf63526d609c5039b36d1b0
60295f13b26aa7ecc9071db2b5305e63ebcc47a49814a2b0e63b925a259bc079
9448e6baae056b9460f97d689bb1250a526197f634ceed0a0cc737a7af8c8461
2d45d900fec91d72f0e034e20a6b9a88790a67dbc655638baa24741f375b6f62
2ba23389994de55b043894aca4f56bd2b0330a14d542e9c57abaa3c79157369e
1daa241248bd8a1ae88c33dea6272370a5ebc443cba9c323767db60bf6ccd7b6
024c810e04f1f01973cc6999d049b19aa1181682f10a03d922a8dd00846f2cc2
7b476ed56602b29419ba466dc13581edd579b26463c6db1c80b31c1693466934
Domains
7.tcp.eu.ngrok.io
6.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
4.tcp.ngrok.io
myhackth.myftp.org
6.tcp.ngrok.io
dgorijan20785.hopto.org
b7r.duckdns.org
212.ip.ply.gg
positive-be.at.playit.gg
whatis79.ddns.net
chrisle79.ddns.net
bonding79.ddns.net
goodgt79.ddns.net
smath79.ddns.net
jacknop79.ddns.net
dartkom22.ddns.net
URLs
tcp://6.tcp.eu.ngrok.io:11380/
http://glaucogeraint.pagekite.me/favicon.ico
http://glaucogeraint.pagekite.me/
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 144
comments 0
5 malware threats we discovered in the wild i...
watchers 347
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy