A Bitcoin-themed sample of the DarkComet RAT was distributed inside a RAR archive and, once executed, unpacks to a UPX-packed executable that installs persistence, keylogs, and attempts to beacon to a hardcoded C2 at kvejo991.ddns.net:1604. File hashes, install path, mutex, and captured keystroke logs were recovered during analysis. #DarkComet #kvejo991.ddns.net
Keypoints
- Malware was delivered in a RAR archive labeled as a Bitcoin wallet to entice cryptocurrency users and bypass filters.
- Packed executable “94k BTC wallet.exe” was UPX-packed; unpacking produced a DarkComet RAT sample detected as Backdoor.DarkComet.
- Persistence achieved by copying to %AppData%RoamingMSDCSCexplorer.exe and creating a Run registry key under HKCU.
- Embedded configuration includes mutex DC_MUTEX-ARULYYD and C2 server kvejo991.ddns.net on TCP port 1604.
- Primary capabilities observed: keylogging (logs stored in dclogs), process injection into notepad.exe, and attempted C2 beaconing and exfiltration.
- Multiple file hashes provided for archive, packed payload, and unpacked binary to support detection and hunting.
- UPX packing used for evasion and size reduction; unpacking restored standard PE sections for analysis.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivered as a malicious RAR file attachment/download to lure victims with the Bitcoin tool theme. Quote: ‘Delivered as a malicious RAR file attachment/download to lure victims with the Bitcoin tool theme.’
- [T1027.002] Obfuscated/Compressed Binary – UPX Packing – The payload was packed with UPX to evade static detection. Quote: ‘The payload was packed with UPX to evade static detection.’
- [T1204] User Execution – The victim manually extracts and runs the disguised Bitcoin application. Quote: ‘The victim manually extracts and runs the disguised Bitcoin application.’
- [T1547.001] Registry Run Keys / Startup Folder – DarkComet sets autostart entries to survive reboots. Quote: ‘DarkComet sets autostart entries to survive reboots.’
- [T1056.001] Keylogging – Primary behavior observed: keystroke capture for credential and wallet theft. Quote: ‘Primary behavior observed: keystroke capture for credential and wallet theft.’
- [T1071.001] Application Layer Protocol – Establishes connection with C2 domain over TCP. Quote: ‘Establishes connection with C2 domain over TCP.’
- [T1041] Exfiltration Over C2 Channel – Captured keystrokes and data are exfiltrated via the same C2 connection. Quote: ‘Captured keystrokes and data are exfiltrated via the same C2 connection.’
Indicators of Compromise
- [Hash] Archive and payload – RAR archive SHA256: 11bf1088d66bc3a63d16cc9334a05f214a25a47f39713400279e0823c97eb377; packed EXE SHA256: 5b5c276ea74e1086e4835221da50865f872fe20cfc5ea9aa6a909a0b0b9a0554.
- [Hash] Unpacked binary – Unpacked EXE SHA256: 58c284e7bbeacb5e1f91596660d33d0407d138ae0be545f59027f8787da75eda.
- [File Path] Install path – Persistence copy: C:UsersAppDataRoamingMSDCSCexplorer.exe (example observed under C:Usersadmin…).
- [Registry] Autostart key – HKCUSoftwareMicrosoftWindowsCurrentVersionRunexplorer -> C:UsersadminAppDataRoamingMSDCSCexplorer.exe.
- [Domain/Network] C2 server and port – kvejo991.ddns.net over TCP port 1604 (observed beaconing attempts and retransmissions).
- [Mutex] Runtime mutex – DC_MUTEX-ARULYYD used to ensure single instance.
- [Filename/Logs] Keystroke log – Keystroke capture stored in folder ‘dclogs’ and example log file 2025-10-29-4.dc (plus captured log entries).
Read more: https://www.pointwild.com/threat-intelligence/darkcomet-rat-malware-hidden-inside-fake-bitcoin-tool