{
	"id": "e4b8a1e0-f088-44d3-bb24-926ea5778670",
	"created_at": "2026-04-06T00:09:59.316896Z",
	"updated_at": "2026-04-10T03:21:07.017824Z",
	"deleted_at": null,
	"sha1_hash": "0f55bfd468e0c87eb6dd149d9a2f9d779c1b255e",
	"title": "DarkComet RAT: Technical Analysis of Attack Chain - ANY.RUN's Cybersecurity Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 460689,
	"plain_text": "DarkComet RAT: Technical Analysis of Attack Chain - ANY.RUN's\r\nCybersecurity Blog\r\nBy Mostafa ElSheimy\r\nArchived: 2026-04-05 19:25:36 UTC\r\nEditor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat\r\nintelligence analyst. You can find Mostafa on X and LinkedIn. \r\nIn this malware analysis report, we take an in-depth look at how the Remote Access Trojan (RAT) DarkComet has\r\nbeen used by attackers to remotely control systems, steal sensitive data, and execute various malicious activities. \r\nOverview \r\nDarkComet is a Remote Access Trojan (RAT) initially developed by Jean-Pierre Lesueur in 2008. This malware\r\nruns silently in the background, collecting sensitive information about the system, users, and network activity.  \r\nIt attempts to steal stored credentials, usernames, passwords, and other personal data, transmitting this information\r\nto a destination specified by the attacker.  \r\nBackdoor.DarkComet allows attackers to install further malicious software on the infected machine or enlist it in a\r\nbotnet for sending spam or other malicious activities.  \r\nSymptoms of an infection may not be noticeable to the user, as it can disable antivirus programs and other\r\nWindows security features.  \r\nDistribution methods include: \r\nBundling with free software. \r\nDisguising as harmless programs in emails. \r\nExploiting software vulnerabilities on websites. \r\nDarkComet became widely used due to its user-friendly graphical interface, which contributed to its popularity.\r\nTechnical Details \r\nLet’s run a sandbox analysis session using ANY.RUN to discover the technical details of this malware. \r\nView analysis session \r\nChanging file attributes \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 1 of 20\n\nDarkComet uses a command-line operation to alter file attributes, making its components more difficult to\r\ndetect.  \r\nThe command line of DarkComet displayed in ANY.RUN’s sandbox\r\nIt uses attrib to display or change file attributes \r\n1. +s (System Attribute): Marks the file as a system file, making it appear as a critical part of the operating\r\nsystem. \r\n2. +h (Hidden Attribute): Hides the file from regular view in Windows Explorer, making it invisible to most\r\nusers. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 2 of 20\n\nDropped executable file inside the summary of IOCs \r\nIt drops an executable at C:\\Users\\admin\\Documents\\MSDCSC\\msdcsc.exe and executes it, making it harder to\r\ndetect. \r\nContacting Malicious Domains \r\nThe malware establishes communication with a specified malicious domain, enabling remote control and data\r\nexfiltration. \r\nMalicious domain displayed inside the sandbox\r\nModifying Process Privileges \r\nThe malware interacts with the Windows APIs LookupPrivilegeValueA and AdjustTokenPrivileges to modify\r\nthe privileges associated with the current process’s access token (not the process itself).  \r\nThis is done by obtaining a handle to the process’s access token, which allows the malware to modify its security\r\ncontext. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 3 of 20\n\nModification of process privileges\r\nIf a2 is 0, the privilege is removed (Attributes = 0). \r\nIf a2 is 1, the privilege is enabled (Attributes = 2). \r\nGathering System Information \r\nRetrieving Hardware Profile \r\nUse of GetCurrentHwProfileA API\r\nDarkComet uses the GetCurrentHwProfileA API to collect detailed information about the infected system’s\r\nhardware: \r\nHardware Profile ID (HWID): A Globally Unique Identifier (GUID) that identifies the current hardware\r\nprofile, allowing the malware to uniquely recognize the system. \r\nDock State: Extracted through the dwDockInfo field, this information reveals whether the system is\r\ndocked (e.g., connected to a docking station) or undocked. This helps the malware adapt its behavior based\r\non the system’s hardware configuration. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 4 of 20\n\nDemonstration of GUID and Dock State\r\nRetrieving Date, Time, and Location \r\nThe malware also gets the date and time of the victim device. \r\nRetrieval of date and time\r\nIt also checks the computer’s location settings by querying the registry key associated with the current user’s\r\nSecurity Identifier (SID):  \r\n\\REGISTRY\\USER{SID}\\Control Panel\\International\\Geo\\Nation \r\nData Processing and Manipulation \r\nDarkComet uses a function called sub_4735E8 multiple times with different strings as parameters. \r\nUse of sub_4735E8 function\r\nThis function carries out resource management and processes various pieces of data, including:  \r\nC2 Domain Information: The Command and Control server the malware communicates with. \r\nSID (Security Identifier): Identifies the user profile associated with the malware’s activity. \r\nMutex Values: Used to ensure that only one instance of the malware runs on the infected system at a time. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 5 of 20\n\nThis function helps obfuscate key information, preventing it from appearing directly in the strings section of the\r\nmalware. \r\nData processing and data manipulation with v28\r\nWith this function, the malware loops through DARKCOMET DATA to retrieve specific attributes based on the\r\nprovided parameter strings. \r\nDARKCOMET DATA\r\nHere is the loop that the malware uses to iterate through DARKCOMET DATA: \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 6 of 20\n\nDemonstration of the loop used by DarkComet\r\nWithin sub_4735E8, DarkComet iterates through its internal data set, known as DARKCOMET DATA, to match\r\nspecific parameters and extract corresponding attributes. This process involves looping through data entries to\r\nretrieve the needed values based on the provided strings. \r\nExtracted DARKCOMET DATA: \r\n#BEGIN DARKCOMET DATA --\r\nMUTEX={DC_MUTEX-D1SPNDG}\r\nSID={Sazan}\r\nFWB={0}\r\nNETDATA={8.tcp.eu.ngrok.io:27791}\r\nGENCODE={fKTZRKdv0Nij}\r\nINSTALL={1}\r\nCOMBOPATH={7}\r\nEDTPATH={MSDCSC\\\\msdcsc.exe}\r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 7 of 20\n\nKEYNAME={MicroUpdate}\r\nEDTDATE={16/04/2007}\r\nPERSINST={0}\r\nMELT={0}\r\nCHANGEDATE={0}\r\nDIRATTRIB={6}\r\nFILEATTRIB={6}\r\nFAKEMSG={1}\r\nEF={1}\r\nMSGCORE={{42696C67697361796172FD6EFD7A20332073616E6979652069E7696E64652079656E6964656E206261FE6C6174FD6C6163616B\r\nMSGICON={48}\r\nSH1={1}\r\nCHIDEF={1}\r\nCHIDED={1}\r\nPERS={1}\r\nOFFLINEK={1}\r\n#EOF DARKCOMET DATA --\r\nFrom this data, the malware extracts and processes key attributes, including: \r\nC2 domain: Specifies where the malware sends stolen data. \r\nEDTDATE: The date associated with the malware’s installation (e.g., 16/04/2007), indicating that it does\r\nnot alter the date of the dropped executable. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 8 of 20\n\nThe processed C2 domain \u0026 EDTDATE\r\nMutex: Ensures that only one copy of DarkComet runs on the system. \r\nThe processed Mutex\r\nCampaign name: Used for identifying specific attacks or operations. \r\nProcessed campaign name\r\nIt also processes the attributes of the malware that define how it behaves and interacts with the system: \r\nEDTPath: Path of the executable (MSDCSC\\msdcsc.exe) \r\nThe path of the new executable\r\nRegistry Key (KEYNAME): MicroUpdate, used to maintain persistence in the system’s registry. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 9 of 20\n\nreg_key (KEYNAME): MicroUpdate\r\nFrom the DARKCOMET DATA, we can also notice that the malware does not change the original creation date of\r\nthe dropped executable. The CHANGEDATE attribute is set to 0, indicating that the date remains unchanged,\r\nwhich can help the malware blend in with other files and avoid raising suspicion during forensic analysis. \r\nLearn to analyze cyber threats\r\nSee a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis\r\nRead full guide\r\nDropped Executable File \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 10 of 20\n\nDarkComet drops a file named msdcsc.exe in the C:\\Users\\admin\\Documents\\MSDCSC\\ directory and executes it\r\nfrom there. \r\nThe dropped executable file\r\nThis dropped file is identical to the original malware executable. \r\nComparison of the original and executable files\r\nThis means it can start itself from another location. By doing so, the malware can better evade detection, as\r\nrunning from a new path makes it more challenging for security tools to track its activity. \r\nPersistence Mechanisms \r\nTo maintain persistence on the infected system, DarkComet: \r\nAdds Run key: It creates a registry entry at\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate with the path of the executable. \r\nModifies the WinLogon registry key: It alters\r\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit for\r\npersistance. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 11 of 20\n\nRegistry entry creation\r\nDLL Loading and Function Resolution \r\nDarkComet retrieves handles to the modules (DLLs) such as kernel32.dll and user32.dll for further manipulation\r\nand execution of its malicious functions. \r\nModule handle retrieval for DLL\r\nRAT Functionalities \r\nDarkComet has various capabilities that allow it to manipulate the infected system and gather information. These\r\ninclude functions for simulating user input, capturing data, and interacting with the system’s display and\r\nclipboard. \r\nSimulating Mouse and Keyboard Actions \r\nDarkComet uses the mouse_event function to simulate mouse motion and button clicks.  \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 12 of 20\n\nimplementation of mouse_event\r\nThis helps the attacker to interact with the system as if a user is controlling the mouse. \r\nDarkComet synthesizing the mouse motion and button clicks\r\nThis malware also uses Keyboard Event Simulation, particularly, the keybd_event function to allow the malware\r\nto manipulate the user’s environment, input data, or perform actions without the user’s knowledge. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 13 of 20\n\nImplementation of the keybd_event function\r\nCapturing Keyboard Inputs \r\nThe malware calls GetKeyboardType(0) to determine the type of the primary keyboard. If it returns 7, it\r\nindicates that the keyboard is a “language” keyboard, which is often a Unicode keyboard. \r\nDarkComet retrieving information about the current keyboard\r\nThe next function captures keystrokes from the user, allowing the malware to record input without detection. \r\nKeyboard input capture\r\nThe function used by DarkComet processes each character input (ch), which could represent a keyboard key or a\r\nspecific command. It applies a series of conditional checks and actions based on the character’s value. \r\nThis malware utilizes the VkKeyScanA(ch) function to convert the character into a virtual key code. This\r\nconversion allows the malware to accurately interpret and simulate keyboard actions, making it easier to log\r\nkeystrokes or execute commands. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 14 of 20\n\nConversion of characters into keystrokes\r\nSystem and Display Information \r\nThe malware uses EnumDisplayDevicesA function to retrieve information about display devices connected to the\r\nsystem. \r\nRetrieving Display information connected to the system\r\nDarkComet attempts to access data from the clipboard, focusing on format 0xE, which is used for enhanced\r\nmetafiles (EMF) – a vector graphics format. By doing so, the RAT can exfiltrate or manipulate clipboard data,\r\nsuch as copied images or text. \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 15 of 20\n\nRetrieving data from the clipboard\r\nC2 Commands and Remote Control \r\nDarkComet receives instructions from its Command and Control (C2) server, allowing it to perform various\r\nremote tasks. These commands enable the attacker to control the malware’s behavior and may include actions\r\nlike: \r\nData exfiltration: Extracting files or information from the infected system. \r\nSystem manipulation: Modifying system settings or terminating processes. \r\nAdditional payload delivery: Deploying additional malicious software into the infected system. \r\nSee Appendix I for the extracted commands that the C2 server sends to the malware.  \r\nThese commands help control the malware’s behavior remotely and may provide insight into the attacker’s\r\nobjectives and tactics.\r\nConclusion \r\nDarkComet is a highly capable Remote Access Trojan (RAT) that continues to be a threat due to its stealthy\r\nbehavior and extensive feature set. It allows attackers to manipulate infected systems remotely, steal sensitive\r\ninformation, and install additional malware.  \r\nThis analysis has demonstrated DarkComet’s ability to evade detection by modifying file attributes, manipulating\r\nregistry keys for persistence, and escalating privileges. It gathers system information, including hardware profiles\r\nand location settings, and communicates with a command-and-control (C2) server to execute a variety of\r\ncommands, from capturing keystrokes to controlling display devices. \r\nThe malware’s functionality, including its ability to modify system settings, simulate user input, and manage\r\nservices, makes it a versatile tool for attackers. Its ease of use, coupled with a rich set of RAT functionalities, has\r\ncontributed to its widespread deployment, especially in targeted cyberattacks. \r\nAbout ANY.RUN  \r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 16 of 20\n\nANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies\r\nmalware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI\r\nLookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to\r\nincidents faster.  \r\nWith ANY.RUN you can: \r\nDetect malware in seconds. \r\nInteract with samples in real time. \r\nSave time and money on sandbox setup and maintenance \r\nRecord and study all aspects of malware behavior. \r\nCollaborate with your team \r\nScale as you need. \r\nRequest free trial → \r\nAppendix I\r\nIOCs \r\nHashes \r\nmd5: 1b540a732f2d75c895e034c56813676a \r\nsha1: 0dd8c542fd46dd5b55eefcf35382ee8903533703 \r\nsha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1\r\nC2 \r\n8[.]tcp[.]eu[.]ngrok[.]io[:]27791 \r\nRegistry keys \r\n\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\UserInit =\r\n“C:\\\\Windows\\\\system32\\\\userinit.exe,C:\\\\Users\\\\Admin\\\\Documents\\\\MSDCSC\\\\msdcsc.exe” \r\n\\REGISTRY\\USER\\USER SID\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroUpdate =\r\n“C:\\\\Users\\\\Admin\\\\Documents\\\\MSDCSC\\\\msdcsc.exe” \r\nDropped executable file \r\nC:\\Users\\admin\\Documents\\MSDCSC\\msdcsc.exe \r\nTTPs\r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 17 of 20\n\nTACTIC  TECHNIQUE  MITRE ATT\u0026CK ID \r\nPersistence \r\nBoot or Logon Autostart Execution  T1547 \r\nAdds Run key to start application  T1547.001 \r\nWinlogon Helper DLL  T1547.004 \r\nPrivilege Escalation \r\nBoot or Logon Autostart Execution  T1547 \r\nAdds Run key to start application  T1547.001 \r\nWinlogon Helper DLL  T1547.004 \r\nDefense Evasion \r\nModify Registry  T1112 \r\nHide Artifacts  T1564 \r\nHidden Files and Directories  T1564.001 \r\nDiscovery \r\nQuery Registry  T1012 \r\nSystem Information Discovery  T1082 \r\nSystem Location Discovery  T1614 \r\nSystem Language Discovery  T1614.001 \r\nCommand and Control  Web Service  T1102 \r\nCommands\r\nGetSIN\r\nRefreshSIN\r\nRunPrompt\r\nGetDrives\r\nGetSrchDrives\r\nGetFileAttrib\r\nKillProcess\r\nGetAppList\r\nGetServList\r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 18 of 20\n\nStartServices\r\nStopServices\r\nRemoveServices\r\nInstallService\r\nGetStartUpList\r\nActiveOnlineKeylogger\r\nActiveOfflineKeylogger\r\nGetOfflineLogs\r\nShutdown\r\nRestartComp\r\nLogOffComp\r\nPowerOff\r\nGetFullInfo\r\nGetSystemInfo\r\nOpenWebPage\r\nPrintText\r\nGetTorrent\r\nGetPrivilege\r\nTraceRoute\r\n#BOT#VisitUrl\r\n#BOT#OpenUrl\r\n#BOT#Ping\r\n#BOT#RunPrompt\r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 19 of 20\n\n#BOT#CloseServer\r\n#BOT#SvrUninstall\r\n#BOT#URLUpdate\r\nDOWNLOADFILE\r\nUPLOADFILE\r\nACTIVEREMOTESHELL\r\nDESKTOPCAPTURE\r\nWEBCAMLIVE\r\nWIFI\r\nCHAT\r\nFTPFILEUPLOAD\r\nMostafa ElSheimy\r\nMostafa ElSheimy\r\nMostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs\r\n(Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work\r\nfocuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats.\r\nFind him on X and LinkedIn.\r\nMostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs\r\n(Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work\r\nfocuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats.\r\nFind him on X and LinkedIn.\r\nSource: https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nhttps://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/"
	],
	"report_names": [
		"darkcomet-rat-technical-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434199,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f55bfd468e0c87eb6dd149d9a2f9d779c1b255e.pdf",
		"text": "https://archive.orkl.eu/0f55bfd468e0c87eb6dd149d9a2f9d779c1b255e.txt",
		"img": "https://archive.orkl.eu/0f55bfd468e0c87eb6dd149d9a2f9d779c1b255e.jpg"
	}
}