Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
41
Global rank
49 infographic chevron month
Month rank
53 infographic chevron week
Week rank
0
IOCs

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

RAT
Type
France
Origin
12 February, 2008
First seen
30 January, 2025
Last seen
Also known as
Breut
Fynloski
klovbot

How to analyze DarkComet RAT with ANY.RUN

RAT
Type
France
Origin
12 February, 2008
First seen
30 January, 2025
Last seen

IOCs

IP addresses
193.161.193.99
45.74.4.244
8.8.8.8
78.163.16.186
193.149.180.137
176.108.108.71
75.4.61.28
223.244.83.13
140.82.13.202
46.2.15.197
151.236.21.83
185.60.133.214
80.85.154.180
80.85.156.184
40.76.20.9
88.169.146.156
79.143.38.55
78.190.191.194
45.32.255.220
109.61.248.34
Domains
2.tcp.eu.ngrok.io
5.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
6.tcp.eu.ngrok.io
0.tcp.ngrok.io
4.tcp.eu.ngrok.io
7.tcp.eu.ngrok.io
2.tcp.ngrok.io
6.tcp.ngrok.io
gnx.zapto.org
eu-central-7075.packetriot.net
8.tcp.ngrok.io
skynet3310.zapto.org
nene.linkpc.net
4.tcp.ngrok.io
positive-be.at.playit.gg
papka142.ddns.net
dgorijan20785.hopto.org
myhackth.myftp.org
212.ip.ply.gg
URLs
tcp://6.tcp.eu.ngrok.io:11380/
http://glaucogeraint.pagekite.me/
http://glaucogeraint.pagekite.me/favicon.ico
Last Seen at

Recent blog posts

post image
3 Major Cyber Attacks in January 2025
watchers 559
comments 0
post image
How ANY.RUN Helps Healthcare Organizations Ag...
watchers 553
comments 0
post image
How to Prevent a Ransomware Attack on a Busin...
watchers 1297
comments 0

What is DarkComet RAT?

DarkComet is a remote access trojan developed by Jean-Pierre Lesueur in 2008. According to him, the program was never intended to be used illegally. But it got viral in 2012 after the Syrian incident: the government used the RAT to spy and destroy the protestor’s network.

It’s a standard remote control malware – a hacker rules over the infected computer and gets access to the camera and microphone. That is why DarkComet serves as a tool to monitor victims’ actions, take screenshots, do key-logging, or steal credentials.

The malware has had several versions, and DarkComet 5.3.1 is still available in 2022.

Crooks try to make targets download and run the RAT using different social engineering techniques. And in some cases, attackers use DarkComet to deliver other malicious programs to the infected machine. Hackers may involve the victim machine in a botnet scheme, such as sending spam.

DarkComet malware analysis

ANY.RUN allows researchers to analyze DarkComet samples and monitor the malware’s activity in real-time using an interactive sandbox

darkcomet rat process graph

Figure 1: Process graph of DarkComet execution generated by ANY.RUN

DarkComet Execution process

DarkComet has a typical RAT execution.

The infected system connects to the hacker’s computer and gives the attacker full access. Crooks may exploit all the system's features: the infected machine is ready to get packets and perform the commands.

Systems communicate via TCP to the chosen DarkComet malware port on the selected IP/domain. Then C&C traffic begins with RC4-256 encryption.

The execution process of the DarkComet varies depending on the sample and version. The most straightforward execution is just one process that makes all activities in the infected system.

In some cases, malware may use system utilities to defend against evasion or persistence. For example, in this task, it uses the T1564.001 technique: malware starts attrib.exe through cmd.exe to hide the main executable. In the system process, iexplorer was injected with malicious code and provided the main malicious activity afterward.

Distribution of DarkComet malware

To trick people into downloading and installing programs such as Quasar RAT, njRAT, and DarkComet cybercriminals use:

  • other trojans
  • suspicious file or software download channels
  • fake software updates and/or unofficial activation tools
  • phishing

Emails may include malicious content in various formats like Microsoft Office documents, PDF documents, .exe files, ZIP and RAR archives, JavaScript files, etc.

After a user is tricked into downloading and then opening a file, it installs other malware.

How to detect DarkComet using ANY.RUN?

darkcomet rat memory dump

Figure 2: DarkComet memory dump

ANY.RUN automatically creates a memory dump of the running process and matches it with the Yara rule. After DarkComet detection, its config is available to researchers for subsequent analysis in no time.

In our example, malware configuration was extracted just 10 seconds after the task launch.

Conclusion

Having DarkComet downloaded on your working station can cause severe issues. And it’s better to get rid of it immediately. Concerning the SOC’s specialists' goal, the analysis of the RAT’s infection should be carried out as soon as possible. And with ANY.RUN sandbox it’s easy to do.

HAVE A LOOK AT

Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More