DarkComet RAT

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Type
RAT
Origin
France
First seen
12 February, 2008
Last seen
5 October, 2022
Also known as
Breut
Fynloski
klovbot
Global rank
25
Week rank
16
Month rank
16
IOCs
6409

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

IOCs

IP addresses
91.109.184.6
185.183.98.166
3.132.159.158
70.70.19.220
3.142.167.54
37.203.214.28
212.220.202.104
165.227.31.192
185.204.1.236
87.66.106.20
79.134.225.30
3.134.196.116
134.209.47.156
78.173.184.33
170.178.190.213
184.75.223.227
5.129.36.73
192.121.87.80
194.40.243.243
193.242.166.48
Hashes
2ba23389994de55b043894aca4f56bd2b0330a14d542e9c57abaa3c79157369e
bbc6486837b468d925394a9a14aae39c75fbde0e1c8ff087e33ecaec00fb3c92
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
177dec75821166a12737075a4d800dcadb588c3248823a75a583899748015e62
fe144e34686430b57479a839b4679e4be1aa3d01f7884e357bfe6c7024a0cf00
2e8e2345816f9c57457da9b198eec75dcf605e07a1afba99130ac6dbfd1e6264
10deb0cbdec51982d31f8d2a5363d1a6471964e6123bc78ec8df257c40a0e657
e2f0190e43bca4b6104a4168f5d140500afcb44a87716650cb513573bcf0b84c
2867692af5f0ad25b3d19303f7b3e1bf403abd8f7cd63479b5a941870a1a0497
e559f57dd99c42b89f35a537220edb7ab5b4da9208b44d4b4b1a5f7e27a6d15b
1541f59e5348feeb6fba62a2e5a35aba5b916ee3a9e74e628e15c86311257290
0cf16b8e9e873a88bc05c184d9da3ccd5dd1dd7c49e4f232878b6339a8b99438
3d455ec87e3c2cf60d8a6d06257090d5c50dad245b55fe8168c80b8becf92202
ca2469f715306dc02441a4c55da33aa34c7c0c2b8b81939f2c0ea7d55770421c
9c8af7c319e9c06c9daf63cd5e4ff063d4da318acf940c544ad674528a142210
352d9f27434a8f59f598c21b79673260d4b767fc6bfb20cec4de181c20421a61
32892d9bc32b165f528f64efc5a71166fca91cbd45cac2885ecca22fc78e1e78
8bab2e763a71cfbf7c5c471208de35d2298d073f75d5d1f37e618b3402cab36d
ed0b004aab0c1ee815aad649d9c481a0a872d72af8637c2c186455ece16ccb9e
Domains
frederikkempe.com
majul.com
elx01.knas.systems
WindowsAuthentication324-49629.portmap.host
graphql.usercentrics.eu
tracking.reactful.com
visitor.reactful.com
1a69-1-1-1-1.ngrok.io
54be-216-250-249-146.ngrok.io
2d0d-169-54-110-69.ngrok.io
0934-2001-569-7ed3-bd00-1d59-f4b7-9e51-370.ngrok.io
dashmessaging.ngrok.io
e8fb846ee4a8.ngrok.io
papzdr.ngrok.io
61c2-219-74-67-125.ngrok.io
d8d5ffd7.ngrok.io
718b-2a01-cb08-a11-3300-af7d-ea87-380e-8a24.ngrok.io
a950-190-86-252-234.ngrok.io
fe43-71-204-101-183.ngrok.io
ec5e-2a0c-5a80-d301-df00-5d8a-c5e7-bb11-1bdd.ngrok.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More