DarkComet RAT

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Type
RAT
Origin
France
First seen
12 February, 2008
Last seen
26 June, 2022
Also known as
Breut
Fynloski
klovbot
Global rank
25
Week rank
11
Month rank
12
IOCs
5871

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

IOCs

IP addresses
3.19.130.43
170.178.190.213
18.158.58.205
3.64.4.198
3.13.191.225
3.134.125.175
3.142.81.166
3.67.112.102
3.67.62.142
3.127.59.75
18.198.77.177
3.136.65.236
3.133.207.110
3.69.157.220
3.132.159.158
18.189.106.45
3.141.142.211
3.22.30.40
3.125.102.39
3.125.209.94
Hashes
31a1b891d671c0b1753d475b24751ff15415b0283d9279f84ed29dede42abcb6
7b476ed56602b29419ba466dc13581edd579b26463c6db1c80b31c1693466934
dc325481f618fba64b3d54c61d8a2eb6bc8734a52cf63526d609c5039b36d1b0
01f0b8a70740f9f4d96abc4014a6ae13e5e144b17fb0fd4c47dac102e42b9765
1aee1a92fcd33ada12535ae8a6fe16c99c119cc46e0e54f8b7dd8a3418192501
bce937a5370a0b42d41108028e01ad92811846751980c051ddea6edbb4a3c4bd
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7
6e4d77f9a9357037100b3859781f58530b268d437b6c09b1c4980869e0607343
2e5d83dbc92db05f2897ae92565ba1b6c736e4da31432a76f7cbe264b3c01760
812486d90327ec5dc86361c14ea01bf9163f77b2895f6451e2e0e040899aeb9b
2f73adc8b6ac1a2d701590ae34ee9393b09fe7852af990ae5714e087a35cbeb3
b3c7874b904249e5746ebe6e4bd963da761d2a2492b661f74aad52ee4ccb8e00
8d5f887270c6f0c2b383c57435bbf7d222ce416a09b3d74d4e1d80608543d0ce
dec0c2b19e44decd9d8dbd46bc0f0966021603d9c26515628639a44fd7d595a2
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
3033e88038cf80d4ea502099291f9ea0e93c5995f96282ad26e5c21e8442c5ce
9434bc83bcf91eea11ec4994e62bf69d123a43106013f3e67ec1e67382fac0ae
cbc3194979a225ee53b973dc1abb0972f9bbc4bdb57d5d8056ba1a441dddd6ea
29f35d962b3318f87325ee327c6a853c5ddca00be4eca46ecb639e50c4c19e99
99870955e988faaf5dd449b8470ff7bfb8ac7aa4819df8843d4778ae8a59d034
Domains
qxq.ddns.net
zxcr9999-53954.portmap.io
defiance.portmap.host
fixerhost-57703.portmap.host
xvzrunsports-63819.portmap.io
DanilWhiteMM-38157.portmap.host
grexy-37705.portmap.io
Noyname31121223-20267.portmap.host
Noyname31121223-41692.portmap.io
DanilWhiteNjrat-57320.portmap.host
maboys0909443-41607.portmap.io
portypart3-30006.portmap.io
portypart3-26819.portmap.io
44334333-31579.portmap.io
SystemRuns-44697.portmap.host
AQUA123-44990.portmap.io
vaganovtopvitaliy-24476.portmap.io
kdlekfr0124-43582.portmap.io
samat228-43843.portmap.host
cybercraws-49029.portmap.io

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More