DarkComet RAT

✨ deeznutz

✨ Master ✨
Staff member
May 15, 2017
DarkComet RAT - in common "Comet" was created in 2008, in 2012 the project was closed, because The author considered that his tool was used not for good purposes, but for the purposes of hacking and hacking. Fearing responsibility, the author stopped developing DarkComet RAT and the project was frozen. Although it seems to me that initially it was created as a client part of the virus, and not as a utility, although maybe I am mistaken.

What does RAT stand for?

RAT - rat (English). Under the abbreviation RAT, there is a Trojan designation that is not very pleasant for each user, with which an attacker can gain remote access to the computer. Many people mistakenly translate this abbreviation as the Remote Administration Tool - a tool for remote administration, but in fact the abbreviation RAT means Remote Access Trojan - a Trojan program for remote access.
How does the RAT program work?
RAT consists of two parts: client and server. In the RAT program itself (Client) that runs on the attacker's computer, a server program is created which is sent to the victim. After the victim starts, a remote computer (host) appears in the client’s program window, to which you can remotely connect. From this moment on, the victim's computer is under the complete control of the intruder.

Configuring Dark Comet: prepare the server module

We pass along the path:

DarkComet-RAT - Server module - Full editor (expert)


expert mode settings

By clicking we get into the settings window of the module that will function on the side of the victim. The third (conditionally) quadrant of the program window contains settings that the administrator must change in stages. So:


dark comet settings

  • Main Settings - Basic Settings
  • Network Settings - Network Settings
  • Module Startup - Module Startup
  • Install Message - Message after successful installation
  • Module Shield - Module Security
  • Keylogger - Keyboard Interceptor
  • Hosts File - hosts configuration file
  • Add plugins - Add Plugins
  • File Binder - file folder (a trojan can be pasted to it)
  • Choose Icon - Choose Label
  • Stub Finalization - Completion
Main Settings

In this window, we need to set a password to encrypt traffic. However, the same password must be duplicated in the settings by the hacker (otherwise he will not see a single client). Generate server ID, change profile name, process mutex. The bottom of the Active FWB window contains three firewall bypass points (however, the program itself warns that it is better not to activate the setting if you are going to encrypt the client, use it in the sandbox and if the computer on which the client will work will not be protected by the firewall). The Main Settings window is configured in the interests of the administrator, the rest relate to the victim's computer.
Network Settings

In it we select the IP address to which the information will come, and the port number. ADD buttonyou can add multiple IP addresses — a hell of a useful setting, but don’t neglect it: outgoing traffic to a bunch of addresses is a noticeable operation even for an amateur victim. But when testing a program, it is an invaluable setting. We will return to it with specific examples.
As for the port number. The one that defaults is immediately discarded and selected in the range up to 1000. This port should be open for receiving primarily on your computer, so we need to forward the installed port as well.

Module Startup
Here you can set up client settings that cannot be considered harmless: thanks to them, the program rightly falls into the category of full-fledged Trojans. So, activate the module (the client will run on the victim’s computer along with Windows). Immediately activate the other settings Dark Comet. A hacker can select several endpoints to store the trojan body: they are visible by clicking on the Install Path button . This is the Documents folder, Desktop, Windows folder, cookies, etc. If you exercise, the name ( Install Name ) and the location of the file will not matter. If the attack is being prepared more carefully - the hacker will hide the Trojan in the folder a little deeper, and call it familiar to any user, so as not to arouse suspicion:


how to hide the dark comet

I repeat, this is the most “tasty” window in which you can select the following Trojan parameters:

  • Melt file after first execution - after launching the file will disappear from the victim’s sight
  • Change the creation date - the date of file creation in its description will be what you set - the most important moment in the opponent’s distraction
  • Persistence Installation option - forced installation - a mandatory option for a hacker.
Finally, the lower part of the settings window. Installed module file attributes sets the two most important attributes for the file itself and the parent folder: Hidden, System.
Install Message window - here you can attach a message that will be reflected in the program window after installing the program, if everything went as it should:


A message from the dark comet

Module Shield section is also very important for a hacker. This window allows you to sequentially:


protection of the module Dark Comet

Yes, theoretically, you can hide the Trojan so deep that you will not find it later. However, any more or less competent user can immediately suspect that something is wrong: UAC is silent, the firewall is turned off, the Task Manager does not work ... It is not suitable anywhere.


This window allows you to intercept typed characters from the keyboard, then sending logs to the specified address. Please note that the window for selecting the FTP path can be omitted:


dark comet keyloger

Hosts file settings allow you to replace the .hosts file of the same name.

A serious application in which a hacker can send a victim only to specific sites or, conversely, prohibit visits to others or even completely disconnect from the Internet.
Let us skip the Add plugins and File Binder plug-ins so far - I promise to return to them because they will expand the Trojan and stick it to the desired file: now only the Dark Comet setting is considered as a Trojan's body. Also deliberately skip the icons offered in Choose Icone - they are antediluvian and catch the eye.
Stub Finalization
Finishes the Trojan module settings. Offers a choice of execution version of the Trojan: in what form it starts. Here is:

  • .exe file - the trojan will be presented as a small utility
  • . com - in the form of a DOS utility (without an icon anywhere)
  • . bat - batch file (no icon anywhere)
  • . pif - DOS utility shortcut (on modern versions it is very striking)
  • . scr - as a screen saver
With the possibility of compression, everything is clear: I still do not see much sense in these settings, although the file to which the Trojan will be glued may be of small size itself. So at discretion. Link to the fake Trojan under the picture at the top of the article.

There is also no need to create a patch - Dark Comet has not been updated for a long time (they say, the creator has big problems with the creation of the program). It remains for us to save the profile for each of the settings - if these settings are not sharpened by the hacker for any specific purpose, but are tried, for example, as an option for many potential victims (according to the “who gets caught” principle), the hacker will try the Trojan in as many as possible cases and in different areas of the network.
The general Dark Comet setup is complete. Creating a Trojan module will start when you click the lowest button, Build the stub. The process will be displayed immediately in the window:

Top Bottom