DarkComet RAT

28
Global rank
18
Month rank
18
Week rank
5628
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
3 June, 2023
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
3 June, 2023
Last seen

IOCs

IP addresses
3.142.167.4
209.25.141.212
3.64.4.198
209.25.141.194
85.106.209.12
192.169.69.26
18.192.31.165
18.158.249.75
3.125.223.134
3.124.142.205
3.17.7.232
147.185.221.212
3.14.182.203
3.134.125.175
192.169.69.25
3.13.191.225
3.125.209.94
18.197.239.5
3.127.138.57
18.158.58.205
Hashes
d160700d3814cf664a21d1a0e67c5a4ac5f608f3fda9b91b5e0d36f59057d776
908404e0ad6185c39c638e99edd820e4406acb1a82dff8e267fc79c0b8cb5ed3
0427bc0b4599a7d86c42dbf384eaf7d599d59571469b6a7df32618625f660af2
9d606a81f2d797255eb15057a8234424b4bfa9d8128bbfa40055a766c142f08a
b55cddb6c413cfb06614c11062f955248e552c1033eaf4edb299bb8286345244
e62445324a984a1324f230835a70d6c75c96541ab268dde14edc29eae32cf544
4de27616147097097b031528059771db50e17a2ceeb7c82dfd3236c0139305ae
65b651c3438973a8c4adedfaa61f855d48aa0dae289cf047bb049ef61514f3b8
2699d19511b231096ebe345304079cf3d7ae57733e66cda2d2197c018a115e9a
ed0fbca5684ab2111b4793fe6f725fe0e94a70f1ac8c53dd93e080d65ed39fc6
215fb50363698650e3d37e6686b8d1306bdce04b76e461768b79d6f3248f0b90
812486d90327ec5dc86361c14ea01bf9163f77b2895f6451e2e0e040899aeb9b
dec0c2b19e44decd9d8dbd46bc0f0966021603d9c26515628639a44fd7d595a2
bca9382d17adcc6e5eeb89aa87160a462952ce0dbbf9b457a00c826e963ed24e
dd3d246fad543c1b68c6c054aab0936dd99b19a3727708284754014c90b72aad
42fd4bd97883b5ea56feba6a548d09f960b9f2c0e16914b2d0021ab74d55ad37
ab3f0023df5676059722ae006f5ef499681f79cb759db535bba0ebc8cbd368bb
d43c23e9a0c8b686bbbc27f8e76a3a88b56ab24e626db6cc3e851201991f29bf
8a05e3c22065b112dfc95df175e6a8ef9c504471df9aa7e9ce78a5befb6e8da7
77cd5a1a223409177c8b4d54357891abfabec70bab9a4ec29b17a37f8e01e97c
Domains
vcctggqm3t.dattolocal.net
elx01.knas.systems
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
joemclean.duckdns.org
microsoftfixer.duckdns.org
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
8.tcp.ngrok.io
frederikkempe.com
majul.com
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
5.tcp.eu.ngrok.io
album-two.at.ply.gg
mary-farmers.at.ply.gg
album-two.at.playit.gg
music-avatar.at.playit.gg
msn-she.at.playit.gg
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 311
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5388
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3240
comments 3

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy