Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
51
Global rank
54 infographic chevron month
Month rank
44 infographic chevron week
Week rank
0
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
26 October, 2025
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
26 October, 2025
Last seen

IOCs

IP addresses
193.161.193.99
89.46.100.217
37.1.222.208
45.74.4.244
176.108.108.71
8.8.8.8
138.197.139.130
193.201.225.52
223.244.83.13
195.123.221.123
104.22.48.74
78.163.16.186
185.60.133.214
80.79.114.172
91.207.61.175
80.241.222.33
70.70.19.220
37.203.214.28
172.94.18.243
37.1.217.131
Hashes
5ea806c3278c268dcc77922a1c9dd77c2c73895b16ad94165c8071b32ff6f6ab
00aade03383d49f2bcfe9a307bad9aae8d85c653c08066d07c5e762530a0ff1f
1541f59e5348feeb6fba62a2e5a35aba5b916ee3a9e74e628e15c86311257290
fedaa5bb34310e81ebb7b4b5af6d52fe5c11b91b379aba68f3092f454fe74371
029c8a06924cb876c58571508721f2b5602ada947486b8d2c516841ea063b6d9
0f3c943dd357cb25980e646ea5a9d20032dc5bed152f4d3d2fa827df9a46ec7f
b6ae4ada64475086412010b277797543244c552b069f07023f8a8653a4f99671
5eaf6506e7597608aecfc701ba4e5b858210107a576bb63526fdbd72ac7b00df
10ab1b1dd1992ed7e6054765e19d734e3578b099673065004ce277e0b8168a55
e90e62c04251c96f7410de968668857b8fec3bb5698f26f6cb5997c0e2c635c6
7adab26455736c97126e3d267f5a493ae48b78847346ec42bf10f6a16c759fe9
bbd99f529c5a3fbf48ed32d1b109443ffb62d499caa4f477d2ecc0471d460e14
bd7ead32cd8194fca366684e80891a3a56c377a36b06ae70eb69306a4c064151
448f48222cc03ccc5f52c5dabb436a80ad0d586397ffa77007fff1fda5553f92
bb5c8aa5732a904eb516294a1a029bac0b02f43cef59e1a3643048cbf46fe0e8
84c76ebcec806edfb76e33634f037229835e62109e37bd38f034aa1430731166
141f5d48b15457fa14eb03a31a3e2b7ef35535a5904a948d0bd4bca0f384f2d0
2e9080cab360ba29376fe76f885417ef33992917a42bed8a9353efc0fc49ee88
58845beb9b29540b7f0ceeacac8f1bc829263afc50da07634df8b7c0f1432ba8
ca2469f715306dc02441a4c55da33aa34c7c0c2b8b81939f2c0ea7d55770421c
Domains
0.tcp.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
2.tcp.ngrok.io
4.tcp.ngrok.io
4.tcp.eu.ngrok.io
eu-central-7075.packetriot.net
6.tcp.ngrok.io
8.tcp.ngrok.io
6.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
full-qui.at.playit.gg
this-france.at.playit.gg
dgorijan20785.hopto.org
212.ip.ply.gg
aski.eating-organic.net
subdomain-dns.duckdns.org
hoslowhabboz.ddns.net
nene.linkpc.net
URLs
tcp://6.tcp.eu.ngrok.io:11380/
http://glaucogeraint.pagekite.me/
http://glaucogeraint.pagekite.me/favicon.ico
Last Seen at

Recent blog posts

post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 346
comments 0
post image
ANY.RUN & ThreatQ: Boost Detection Rate,...
watchers 384
comments 0
post image
No Threats Left Behind: SOC Analyst’s Guide t...
watchers 539
comments 0

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
ACR Stealer screenshot
ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Crocodilus screenshot
Crocodilus
crocodilus
Crocodilus is a highly sophisticated Android banking Trojan that emerged in March 2025, designed for full device takeover. Disguised as legitimate apps, it steals banking credentials, cryptocurrency wallet data, and enables remote control, rapidly evolving into a global threat targeting financial users across Europe, South America, and Asia.
Read More