Threat Research

Technical Analysis of DarkComet RAT Attack Chain – ANY.RUN Cybersecurity Blog

AnyRun

This article analyzes the DarkComet Remote Access Trojan, describing how it infects systems, gathers data, and maintains persistence while evading detection. The report details technical behaviors observed in a sandbox, including attribute modification, registry persistence, C2 communication, and extensive RAT functions. #DarkComet #ANY.RUN

Keypoints

  • DarkComet is a Remote Access Trojan (RAT) first released in 2008 that stealthily collects system and user data and enables full remote control of infected machines.
  • Common delivery methods include bundling with free software, malicious email attachments disguised as benign programs, and exploiting website vulnerabilities.
  • In sandboxed runs DarkComet changes file attributes (adds Hidden/System), drops and executes an executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe, and contacts a remote C2 domain.
  • The malware modifies process token privileges via LookupPrivilegeValueA and AdjustTokenPrivileges, gathers hardware profile (GetCurrentHwProfileA), system locale and time, and enumerates display and clipboard data.
  • Persistence is achieved by adding a Run registry key (MicroUpdate) and altering Winlogon UserInit to run the dropped executable at startup.
  • Core RAT capabilities include simulating mouse and keyboard input (mouse_event, keybd_event), capturing keystrokes (VkKeyScanA), desktop capture, webcam control, file upload/download, and executing remote commands from a C2.
  • Extracted IOCs include file hashes, a C2 endpoint (8.tcp.eu.ngrok.io:27791), registry modifications, and the dropped executable path; an Appendix lists full commands sent by the C2.

MITRE Techniques

  • [T1547] Boot or Logon Autostart Execution – DarkComet creates autostart registry entries to persist across reboots. Quote: ‘Adds Run key to start application’
  • [T1547.001] Add to Run Keys – The malware writes SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate with the executable path. Quote: ‘SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:UsersAdminDocumentsMSDCSCmsdcsc.exe”’
  • [T1547.004] Winlogon Helper DLL – DarkComet modifies the Winlogon UserInit setting to include its executable for startup. Quote: ‘REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:Windowssystem32userinit.exe,C:UsersAdminDocumentsMSDCSCmsdcsc.exe”’
  • [T1112] Modify Registry – The malware changes registry keys to enable persistence and location/language queries. Quote: ‘REGISTRYUSER{SID}Control PanelInternationalGeoNation’
  • [T1564] Hide Artifacts – DarkComet uses attrib to mark files as system/hidden to reduce visibility. Quote: ‘It uses attrib to display or change file attributes’
  • [T1564.001] Hidden Files and Directories – The RAT sets +h and +s attributes so dropped files are less visible. Quote: ‘+s (System Attribute) … +h (Hidden Attribute)’
  • [T1012] Query Registry – The malware queries registry keys to obtain locale and user-specific settings. Quote: ‘It also checks the computer’s location settings by querying the registry key associated with the current user’s Security Identifier (SID)’
  • [T1082] System Information Discovery – DarkComet collects hardware profile and system IDs via GetCurrentHwProfileA. Quote: ‘GetCurrentHwProfileA API to collect detailed information about the infected system’s hardware’
  • [T1614] System Location Discovery – The RAT inspects regional settings and GeoNation registry entries to determine location. Quote: ‘REGISTRYUSER{SID}Control PanelInternationalGeoNation’
  • [T1614.001] System Language Discovery – The malware checks keyboard type and system language to handle input capture correctly. Quote: ‘GetKeyboardType(0) to determine the type of the primary keyboard’
  • [T1102] Web Service – Command-and-control communication is performed via a remote TCP/web endpoint for instruction and data exfiltration. Quote: ‘The malware establishes communication with a specified malicious domain’

Indicators of Compromise

  • [Hashes] Sample file hashes from the analysis – md5: 1b540a732f2d75c895e034c56813676a, sha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1 (and 1 more hash)
  • [C2 Domain] Command-and-control endpoint observed – 8.tcp.eu.ngrok.io:27791
  • [Registry Keys] Persistence and configuration changes – REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:Windowssystem32userinit.exe,C:UsersAdminDocumentsMSDCSCmsdcsc.exe”, and SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:UsersAdminDocumentsMSDCSCmsdcsc.exe”
  • [Dropped Executable] Path of the dropped/installed binary – C:UsersadminDocumentsMSDCSCmsdcsc.exe
  • [Mutex] Single-instance mutex used by the sample – DC_MUTEX-D1SPNDG

DarkComet is a Remote Access Trojan first developed in 2008 that runs unobtrusively on Windows systems to collect data and provide remote control to an attacker. In sandboxed executions, the RAT demonstrated several common distribution vectors: it can be bundled with free applications, disguised as harmless attachments in emails, or delivered via exploited website vulnerabilities. Once executed, the malware attempts to blend in by changing file attributes using the Windows attrib utility, marking its files as system and hidden so they are less likely to be seen by users or flagged by casual inspection.

During the analyzed run, DarkComet dropped an executable named msdcsc.exe into C:UsersadminDocumentsMSDCSC and launched it from that location; the dropped file is identical to the original binary, enabling the malware to continue from a new path and further complicate detection by security tools. To maintain persistence the RAT writes a Run key under SOFTWAREMicrosoftWindowsCurrentVersionRun using the name MicroUpdate and also modifies the Winlogon UserInit value so the malware is executed at logon alongside userinit.exe. These registry changes are central to its long-term presence on an infected host.

DarkComet interacts directly with Windows security APIs to adjust its operating context. It calls LookupPrivilegeValueA and AdjustTokenPrivileges to change privileges associated with the current process token, which helps it perform actions that require elevated rights without, in some cases, altering the process itself. The RAT also loads and resolves functions from core DLLs such as kernel32.dll and user32.dll to execute its capabilities.

Data collection is comprehensive: the malware uses GetCurrentHwProfileA to extract a system hardware profile GUID and dock state, reads date/time settings, and queries registry keys under the current user’s SID to determine locale and geo settings. To avoid leaving clear strings in the binary, DarkComet uses an internal routine (identified as sub_4735E8) to process an embedded data block known as DARKCOMET DATA; that block contains configuration items such as NETDATA (the C2 address), GENCODE, mutex and campaign IDs, file and directory attributes, and behavior flags. For example, the extracted NETDATA value points to 8.tcp.eu.ngrok.io:27791, and KEYNAME is set to MicroUpdate for registry persistence. The CHANGEDATE attribute is 0, indicating the dropped executable’s original timestamp is not altered—an evasion technique that helps it blend into normal file timelines during forensic review.

Operationally, DarkComet implements a wide array of RAT functions. It simulates user input via mouse_event and keybd_event to move the cursor, click, or type as if a local user were interacting with the system. The malware captures keystrokes and processes characters with VkKeyScanA to convert them into virtual key codes; it first checks keyboard type with GetKeyboardType to handle language/Unicode keyboards correctly. Display and clipboard information are also harvested—EnumDisplayDevicesA is used to enumerate connected displays, and the clipboard is queried for enhanced metafile content (format 0xE), allowing exfiltration or manipulation of copied images and text.

Network control is handled by a Command-and-Control server that issues instructions to the RAT. The server can instruct the implant to exfiltrate files, list drives and running applications, start or stop services, install or remove services, capture the desktop, stream webcam video, execute shell commands, download or upload files, and manage keylogging in both online and offline modes. The analysis extracted a large set of supported commands (listed in Appendix I of the original report) that reveal the breadth of remote tasks an operator can perform, including bot-like behaviors such as visiting URLs, performing pings, and managing updates.

Technical countermeasures and detection can focus on several observable behaviors: the use of attrib to set files as hidden/system, creation of specific registry values (MicroUpdate and modifications to Winlogon UserInit), the presence of the dropped executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe, outbound connections to the identified ngrok TCP endpoint, and matching file hashes from the sample. The sample’s mutex (DC_MUTEX-D1SPNDG) and embedded DARKCOMET DATA values also provide useful forensic artifacts for detection and correlation.

In summary, DarkComet remains a versatile and stealthy RAT with longstanding use by attackers due to its rich feature set and user-friendly control interface. The combination of stealth tactics—hidden/system file attributes, registry autostart entries, privilege adjustments, obfuscated configuration processing—and broad remote capabilities makes it a persistent threat for targeted intrusions and ongoing access on compromised Windows systems. Analysts should monitor the identified IOCs and behavioral indicators, and prioritize controls that detect unusual registry modifications, unexpected autoruns, and anomalous outbound connections to remote tunneling services.

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/darkcomet-rat-technical-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint