DarkComet 5.3.0 RAT | Joachim De Zutter
August 2012

Reverse connection Remote Access Tool (RAT).

Download URLs to a trojan created with a file binder were distributed by 64.250.115.3 and 64.250.115.126

An executable file was created under %TEMP%\Software\ (directory has attribute hidden)
Filesize: 336896
MD5: a4aa4e651a17e1eb650a46e1c34c86a7
SHA1: afb4ee328c5e2acd095f74deaf28d55b6c29e767
SHA256: 3ab4b1b6bf819a986a28ba7937ae2f414b191f3b00d153bd731428c89f37d455
Established a TCP connection to 64.250.115.126 on port 100

or
Filesize: 336896
MD5: 866943af2d0ca89712af0106a0a57031
SHA1: 5a8cb8992a073b69145fb8341b8e0632644aaccc
SHA256: dc36f38246ff85d7377ca19483b70c164ad4e18581b27aa0397dcbf5cfe4fce9
Established a TCP connection to 64.250.115.3 on port 1604

Sent a TCP packet containing BF7CAB464EFB

The hex encoded strings in the TCP packets are RC4 encrypted, the PRNG stream where every packet is XORed with begins with F638FF1F1EBE8FB234D62B1DDFF30331E9C50ABA86CD14230F7BE97A5DC3DBC26F2B1C6398DA8ECE67D27D5E6E378A813D805EF5C6FE9B77BCAA8C9D7E9C4FCD2B1F7D4299C8F8E36616B9BDC2D4B4AD4670D56AF02DC4A0144F8DCA16602664F70607D4EC1CE42881B55F7DAFF862BCBCC6CA5E1C778441C0741780C2CD263A36376A56E63BA7D02314587697B9CAB37D01635B6C7F3F1458419B30DE5BB491A22ECA74F62AE9DA1CB8F12CC7039057AC26A80A9E8B82E8D467E708F51D8518B4C53F2247AF0249B2B9DB3BD6A0B46EF8B6CC29DDB61A5CFCD122CFFB1CD9B33893D6545B7575AD9B75585116E1CAF92E726C85CA41C13A1576AAC868A744A0BCA62E9687F563EC03CEE0AA22C12ACEE7EAE387DA70D12CE2183CB9 ...

After some decryption / decoding the string "infoesIrc|5.5.0.1 /" [...] " -- |12/08/2012 at 21:34:01|5.3.0" was obtained from one of the packets, indicating the RAT is DarkComet version 5.3.0

http://www.utrace.de/?query=64.250.115.126
http://www.utrace.de/?query=64.250.115.3
Provider: Genesis Adaptive, Organisation: ServerGurus, LLC, Region: Libertyville (United States)

A copy of the executable file named bcdprov.exe was created under %TEMP%\ (attribute hidden)

A file named audiadg.exe was created under %USERPROFILE%\Templates\ (attribute hidden)
Filesize: 10752
MD5: ea196209244297c543ec542109c9a9b9
SHA1: 48a843f194b89c8ccd547ea4ab7e1a24898c6cd9
SHA256: 644e2a74e866baaffe2cf3ac6107547769ff77614b5ffeacb64245b114d9870b
A startup key for audiadg.exe was created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run