BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
28
Global rank
62 infographic chevron month
Month rank
56 infographic chevron week
Week rank
694
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
20 May, 2024
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
20 May, 2024
Last seen

IOCs

IP addresses
193.161.193.99
45.74.4.244
78.163.16.186
193.149.180.137
176.108.108.71
75.4.61.28
223.244.83.13
140.82.13.202
46.2.15.197
151.236.21.83
185.60.133.214
80.85.154.180
80.85.156.184
40.76.20.9
88.169.146.156
79.143.38.55
78.190.191.194
45.32.255.220
109.61.248.34
37.1.217.131
Hashes
bd7ead32cd8194fca366684e80891a3a56c377a36b06ae70eb69306a4c064151
1e62c968a2fd6671de84465a0d98cfebb16ed8d36ab0eee465220c974675d994
937ec88c22853bb512cccd58ba7e0dbb5671183c9eee76b6709583958925ee92
3a706b3159685d364796d91de6b588cea5308c42ea11165ac756da94f38f193d
82df3f039af299fd82ac54b1c8e02346509f9a2c8f09cb843d9d7a6d2d842b2c
e9a92a9299b636d0209c604e4f641de8a56fb741028ca648b6472c0eb9c725a8
6586c119540a8f51cf1baddb4f169591cb342bc93e73ab1b0be6adff557d26ba
bd544e14b5dfe0df6c3f59a730d138f4b0c2c03c4bf0f05a4666d2f2430e752f
918e3094d94fe8836c54c10c4477180b926d370d039b503f20153c39b5a50744
c5daae6bf065e927f1d6e7bc20fad0e24c5feafb1d351ecbff95be90d144da2d
d195a46d8e4d00898c59dc1ca36b0563952a22308ad8f782b668da1da12385b6
3f4dbf083131149edd6c5af99a0a99fbfe4ef5c503ddcadd127ce1cfc7d30d7e
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
10deb0cbdec51982d31f8d2a5363d1a6471964e6123bc78ec8df257c40a0e657
dd3d45eb86c5bcc15e9cacd1e897ba68294e1ec683544d4c36a18a5ff9641ca7
16fff5d420b7ce260b0e33e4647c04dce0d7badde62a7c229c74ff7ddf857c69
791e395bafe61ff447fdd40745c455c9ed445465fbb518ae462665ae8398ee22
91952f9d1163ab2566a0cf0e336e75708d5a76486ffffe5f000d540bb3584b41
da15aed50222bc580c64ad74e61423cd382a1ba67eea01ca0457cde4d62e23a4
d57a56276b74fc6bbf1c282d00839e584e2bbb9a1f016d24f52adb231c8733db
Domains
0.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
6.tcp.eu.ngrok.io
dgorijan20785.hopto.org
7.tcp.eu.ngrok.io
myhackth.myftp.org
2.tcp.eu.ngrok.io
eu-central-7075.packetriot.net
4.tcp.ngrok.io
6.tcp.ngrok.io
212.ip.ply.gg
b7r.duckdns.org
positive-be.at.playit.gg
smath79.ddns.net
whatis79.ddns.net
chrisle79.ddns.net
bonding79.ddns.net
goodgt79.ddns.net
jacknop79.ddns.net
URLs
tcp://6.tcp.eu.ngrok.io:11380/
http://glaucogeraint.pagekite.me/
http://glaucogeraint.pagekite.me/favicon.ico
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 54
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 768
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 573
comments 0

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy