Dosya Kimligi
| SHA256 | 01e521b7dea93a8eb80883d7bc535dedc2a09eeb981729fd46f4ee677900c64e |
|---|---|
| Yem Adi | Facebook.exe (Facebook sosyal medya yemi) |
| Boyut | 775.168 byte |
| Dil | Delphi (Borland/Embarcadero) |
| String Sayisi | 5.584 |
Aile Tespit Imzalari
DCMUTEX -- DarkComet'in SIGNATURE mutex'i! SOFTWARE\Borland\Delphi\RTL -- Delphi runtime onayı TScreenCapture -- Ekran yakalama modulu (Delphi sinifi) TRemoteShell -- Uzak kabuk modulu PLUGIN / NUntPluginsData -- Plugin sistemi UntKeylogger -- Keylogger birimi UntScreenCapture -- Ekran goruntuleme birimi UntRemoteShell -- Uzak kabuk birimi untstartup -- Baslangic / kalicilik modulu
Keylogger Komut Stringleri
ActiveOnlineKeylogger -- Canli keylogging'i aktif et UnActiveOnlineKeylogger -- Canli keylogging'i durdur KeylogOn -- Keylog baslat ActiveOfflineKeylogger -- Cevrimdisi keylogger modu UnActiveOfflineKeylogger -- Cevrimdisi keylogger'i durdur ActiveOnlineKeyStrokes -- Anlık tus basimlarini izle UnActiveOnlineKeyStrokes -- Anlık izlemeyi durdur
C2 Yapılandirmasi
127.0.0.1:1604 -- DarkComet varsayilan C2 IP:port
-- 1604, DarkComet'in imza portudur
-- 127.0.0.1 = test/gelistirme modunda derlenmis
Kalicilik
SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ -- Registry startup SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ -- Startup folder
Hosts Dosyasi Manipulasyonu
drivers\etc\hosts "I wasn't able to open the hosts file, maybe because UAC is enabled..." -- DarkComet hosts dosyasini degistirmeye calisir (DNS hijacking)
DarkComet Hakkinda
DarkComet, Jean-Pierre Lesueur (DarkCoderSc) tarafindan Fransa'da gelistirilmis ve 2008-2012 yillari arasinda aktif olan bir Delphi RAT ailesidir. 2012 Suriye ic savasi sirasinda aktivistlere karsi hukumet aktörleri tarafindan kullaniminin tespit edilmesinin ardindan gelistirici projeyi durdurdu. Ancak fork'lari ve klonlari hala aktif olarak kullanilmaktadir.
IOC
| SHA256 | 01e521b7dea93a8eb80883d7bc535dedc2a09eeb981729fd46f4ee677900c64e |
|---|---|
| Mutex | DCMUTEX (DarkComet signature) |
| C2 Port | 1604 (DarkComet varsayilan) |
| Dil | Delphi (Borland) |
| Yem | Facebook.exe |
DarkComet — Malware Profile
DarkComet RAT Delphi tabanlı. Facebook.exe sosyal medya gizleme. IAMStreamConfig4 DirectShow webcam/mikrofon. MSConfig startup kalıcılık.
Technical Details
Delphi, TCP custom protocol, keylogger (KEYLOGGER_PASSIVE/ACTIVE), screen capture, webcam/microphone, file manager, registry editor, remote shell, FTP-like file transfer
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
01e521b7dea93a8eb80883d7bc535dedc2a09eeb981729fd46f4ee677900c64e
| Type | Value | Note |
|---|---|---|
| sha256 | 01e521b7dea93a8eb80883d7bc535dedc2a09eeb981729fd46f4ee677900c64e |
C2 Servers (1 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| dkcomet.dedyn.io | domain | 1604 | TCP | inactive | DE |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.