SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkcomet (Back to overview)

DarkComet

aka: Breut, Fynloski, klovbot

Actor(s): APT33, Lazarus Group, Operation C-Major

VTCollection     URLhaus        

DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.

References
2023-02-23BitdefenderBitdefender Team, Martin Zugec
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel
2022-06-21Cisco TalosChris Neal, Flavio Costa, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz
2022-04-26Trend MicroLord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-02-11Cisco TalosTalos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-09SentinelOneJuan Andrés Guerrero-Saade, Tom Hegel
Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC
2022-02-09Sentinel LABSTom Hegel
ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant
2021-11-10AhnLabASEC Analysis Team
Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT
2021-02-25IntezerIntezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-08-01TG SoftTG Soft
TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-01-26Brown Farinholt, Damon McCoy, Kirill Levchenko, Mohammad Rezaeirad
Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet
2020-01-01SecureworksSecureWorks
COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2020-01-01SecureworksSecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-06-03FireEyeSudeep Singh, Yin Hong Chang
APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
2012-10-05MalwarebytesAdam Kujawa
Dark Comet 2: Electric Boogaloo
DarkComet
2012-06-21Contagio DumpMila Parkour
RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT
2012-06-09MalwarebytesAdam Kujawa
You dirty RAT! Part 1: DarkComet
DarkComet
Yara Rules
[TLP:WHITE] win_darkcomet_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_darkcomet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 648920 8b45ec c6404801 33d2 55 68???????? 64ff32 }
            // n = 7, score = 200
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c6404801             | mov                 byte ptr [eax + 0x48], 1
            //   33d2                 | xor                 edx, edx
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff32               | push                dword ptr fs:[edx]

        $sequence_1 = { 837f4800 0f858c030000 6a00 6a01 6a02 e8???????? 8945fc }
            // n = 7, score = 200
            //   837f4800             | cmp                 dword ptr [edi + 0x48], 0
            //   0f858c030000         | jne                 0x392
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_2 = { 8d45ec ba???????? e8???????? 837de800 750d 8d45e8 ba???????? }
            // n = 7, score = 200
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   ba????????           |                     
            //   e8????????           |                     
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   750d                 | jne                 0xf
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   ba????????           |                     

        $sequence_3 = { 888543feffff 8b55f4 b8???????? e8???????? 8bc8 8d45f4 ba01000000 }
            // n = 7, score = 200
            //   888543feffff         | mov                 byte ptr [ebp - 0x1bd], al
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   ba01000000           | mov                 edx, 1

        $sequence_4 = { ff30 8d8dc4feffff 8bd6 8b45e8 8b38 ff570c }
            // n = 6, score = 200
            //   ff30                 | push                dword ptr [eax]
            //   8d8dc4feffff         | lea                 ecx, [ebp - 0x13c]
            //   8bd6                 | mov                 edx, esi
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b38                 | mov                 edi, dword ptr [eax]
            //   ff570c               | call                dword ptr [edi + 0xc]

        $sequence_5 = { 33c0 55 68???????? 64ff30 648920 8b4644 85c0 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8b4644               | mov                 eax, dword ptr [esi + 0x44]
            //   85c0                 | test                eax, eax

        $sequence_6 = { 8b45f8 ba???????? e8???????? 7509 b001 e8???????? eb07 }
            // n = 7, score = 200
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   ba????????           |                     
            //   e8????????           |                     
            //   7509                 | jne                 0xb
            //   b001                 | mov                 al, 1
            //   e8????????           |                     
            //   eb07                 | jmp                 9

        $sequence_7 = { 6a00 56 8d4340 50 8d45f0 50 e8???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   8d4340               | lea                 eax, [ebx + 0x40]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 8d45f8 b90d000000 ba01000000 e8???????? 8d45f4 8b55f8 e8???????? }
            // n = 7, score = 200
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   b90d000000           | mov                 ecx, 0xd
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     

        $sequence_9 = { ba???????? e8???????? 8b9594f9ffff 33c0 e8???????? 68???????? 8d8590f9ffff }
            // n = 7, score = 200
            //   ba????????           |                     
            //   e8????????           |                     
            //   8b9594f9ffff         | mov                 edx, dword ptr [ebp - 0x66c]
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8590f9ffff         | lea                 eax, [ebp - 0x670]

    condition:
        7 of them and filesize < 1499136
}
Download all Yara Rules