Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
49
Global rank
53 infographic chevron month
Month rank
61 infographic chevron week
Week rank
0
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
6 October, 2025
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
6 October, 2025
Last seen

IOCs

IP addresses
193.161.193.99
89.46.100.217
37.1.222.208
45.74.4.244
176.108.108.71
8.8.8.8
138.197.139.130
193.201.225.52
223.244.83.13
195.123.221.123
104.22.48.74
78.163.16.186
185.60.133.214
80.79.114.172
91.207.61.175
80.241.222.33
70.70.19.220
37.203.214.28
172.94.18.243
37.1.217.131
Hashes
5ea806c3278c268dcc77922a1c9dd77c2c73895b16ad94165c8071b32ff6f6ab
00aade03383d49f2bcfe9a307bad9aae8d85c653c08066d07c5e762530a0ff1f
1541f59e5348feeb6fba62a2e5a35aba5b916ee3a9e74e628e15c86311257290
fedaa5bb34310e81ebb7b4b5af6d52fe5c11b91b379aba68f3092f454fe74371
029c8a06924cb876c58571508721f2b5602ada947486b8d2c516841ea063b6d9
0f3c943dd357cb25980e646ea5a9d20032dc5bed152f4d3d2fa827df9a46ec7f
b6ae4ada64475086412010b277797543244c552b069f07023f8a8653a4f99671
5eaf6506e7597608aecfc701ba4e5b858210107a576bb63526fdbd72ac7b00df
10ab1b1dd1992ed7e6054765e19d734e3578b099673065004ce277e0b8168a55
e90e62c04251c96f7410de968668857b8fec3bb5698f26f6cb5997c0e2c635c6
7adab26455736c97126e3d267f5a493ae48b78847346ec42bf10f6a16c759fe9
bbd99f529c5a3fbf48ed32d1b109443ffb62d499caa4f477d2ecc0471d460e14
bd7ead32cd8194fca366684e80891a3a56c377a36b06ae70eb69306a4c064151
448f48222cc03ccc5f52c5dabb436a80ad0d586397ffa77007fff1fda5553f92
bb5c8aa5732a904eb516294a1a029bac0b02f43cef59e1a3643048cbf46fe0e8
84c76ebcec806edfb76e33634f037229835e62109e37bd38f034aa1430731166
141f5d48b15457fa14eb03a31a3e2b7ef35535a5904a948d0bd4bca0f384f2d0
2e9080cab360ba29376fe76f885417ef33992917a42bed8a9353efc0fc49ee88
58845beb9b29540b7f0ceeacac8f1bc829263afc50da07634df8b7c0f1432ba8
ca2469f715306dc02441a4c55da33aa34c7c0c2b8b81939f2c0ea7d55770421c
Domains
0.tcp.ngrok.io
0.tcp.eu.ngrok.io
2.tcp.eu.ngrok.io
2.tcp.ngrok.io
4.tcp.ngrok.io
4.tcp.eu.ngrok.io
eu-central-7075.packetriot.net
6.tcp.ngrok.io
8.tcp.ngrok.io
6.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
full-qui.at.playit.gg
this-france.at.playit.gg
dgorijan20785.hopto.org
212.ip.ply.gg
aski.eating-organic.net
subdomain-dns.duckdns.org
hoslowhabboz.ddns.net
nene.linkpc.net
URLs
tcp://6.tcp.eu.ngrok.io:11380/
http://glaucogeraint.pagekite.me/
http://glaucogeraint.pagekite.me/favicon.ico
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 1223
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2907
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2883
comments 0

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Bert Ransomware screenshot
Bert Ransomware is a newly emerged ransomware group that has been active since April 2025. It deploys variants targeting both Windows and Linux systems, focusing on critical sectors like healthcare, technology, and event services across the US, Asia, and Europe.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More