DarkComet, a stealthy Remote Access Trojan, silently infiltrates systems, stealing sensitive data like credentials and passwords. It also acts as a backdoor, enabling attackers to install malware and control infected machines for malicious activities.
DarkComet is a Remote Access Trojan (RAT) created in 2008 by Jean-Pierre Lesueur. The malware can disable antivirus programs, install additional malicious software, or recruit infected machines into botnets for further attacks. Symptoms of infection are often hidden from the user.
Technical Analysis
It’s user-friendly interface contributed to its widespread use, which disables security measures to remain undetected and is often distributed through bundled software, disguised emails, or website vulnerabilities.
By utilizing multiple techniques, it evades detection and establishes remote control, as analysis reveals the malware modifies file attributes using the “attrib” command, potentially marking itself as a system file (hidden and critical) and hiding dropped executables in non-obvious locations (e.g., C:UsersadminDocumentsMSDCSCmsdcsc.exe).
It also interacts with Windows APIs to manipulate process privileges, potentially elevating its access and control over the infected system, which allows communication with a predefined malicious domain for remote control and data exfiltration.
A Remote Access Trojan (RAT) gathers detailed system information using the GetCurrentHwProfileA API to identify hardware and docking status and also retrieves the date, time, and location from the registry.
The malware utilizes a function named sub_4735E8 to process various data points, including C2 server addresses, user SIDs, and mutex values, obfuscating them for analysis, which iterates through internal data structures (DARKCOMET DATA) to extract specific information based on provided parameters.
Try Advanced Malware Analysis with ANY.RUN For Free
Get 14 days Free Trial
View analysis session, Extracted data includes the C2 domain for communication, the installation date, and persistence mechanisms like registry keys. Importantly, DarkComet maintains the original executable creation date to avoid suspicion during a forensic investigation.
It stealthily infiltrates systems by dropping and executing a copy of itself in a user-specific directory. To persist, it cunningly modifies registry entries, ensuring its automatic execution upon system startup.
Once installed, it leverages system-level functions to simulate user input, capture keystrokes, and exfiltrate sensitive data. By manipulating mouse and keyboard events and intercepting clipboard content, DarkComet discreetly controls infected systems, posing a significant security threat.
It is malicious software that a command-and-control server remotely controls and sends precise instructions or commands to the infected system, enabling the attacker to carry out various malicious activities.
These commands can be used to steal data from the system, modify its settings, or deploy additional malware. Security experts can gain valuable insights into the attacker’s goals and methods by analyzing these commands.
According to ANY RUN report, DarkComet, a sophisticated RAT, poses a significant threat due to its stealthy techniques and extensive capabilities, which evade detection by modifying system settings and registry keys while gathering sensitive information and executing malicious commands remotely.
Learn to Analyze Malware and Cyber Threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Investigate any threat with ease.
Its versatility, including its ability to manipulate system settings, simulate user input, and manage services, makes it a powerful tool for attackers. The malware’s ease of use and rich feature set have contributed to its widespread deployment, especially in targeted cyberattacks.
What is ANY RUN
ANY.RUN is trusted by over 500,000 cybersecurity professionals worldwide to streamline malware analysis. Our interactive sandbox allows for quick and efficient investigation of threats targeting both Windows and Linux systems.
Alongside this, our threat intelligence tools—TI Lookup, YARA Search, and Feeds—enable you to swiftly find IOCs or files, helping you understand threats and accelerate incident response.
With ANY.RUN, you can:
- Detect malware within seconds
- Analyze and interact with samples in real time
- Eliminate the need for costly sandbox setup and maintenance
- Capture and study detailed malware behavior
- Collaborate seamlessly with your team
- Scale effortlessly to meet your needs
Analyze your first URL right away Using ANY.RUN's New Safe Browsing Tool.