Infamous DarkComet RAT Remote Access Trojan or Remote Administration Tool PCAP Traffic Sample

By | January 29, 2016

Download Darkcomet PCAP sample : darkcomet.pcap

 

DarkComet is a remote access Trojan (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from France.[1] The developer does not call it a “remote administration Trojan,” but rather a “remote administration tool”. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.
DarkComet allows a user to control the system with a Graphical User Interface (GUI). It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password cracking.

 

2013-02-03 21:49:45.027320 IP 172.16.253.130.1066 > 64.235.43.131.80: Flags [S], seq 2358992932, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.;@………@.+..*.P..`$….p……………
2013-02-03 21:49:45.139070 IP 64.235.43.131.80 > 172.16.253.130.1066: Flags [S.], seq 1557609149, ack 2358992933, win 64240, options [mss 1460], length 0
E..,[J……@.+……P.*\.:…`%`….T……..
2013-02-03 21:49:45.139138 IP 172.16.253.130.1066 > 64.235.43.131.80: Flags [.], ack 1, win 64240, length 0
E..(.<@………@.+..*.P..`%\.:.P……. 2013-02-03 21:49:45.139315 IP 172.16.253.130.1066 > 64.235.43.131.80: Flags [P.], seq 1:73, ack 1, win 64240, length 72: HTTP: GET /a.php?id=c2ViYWxpQGxpYmVyby5pdA== HTTP/1.1
E..p.=@….I….@.+..*.P..`%\.:.P…Q…GET /a.php?id=c2ViYWxpQGxpYmVyby5pdA== HTTP/1.1
Host: 64.235.43.131

2013-02-03 21:49:45.139579 IP 64.235.43.131.80 > 172.16.253.130.1066: Flags [.], ack 73, win 64240, length 0
E..([K……@.+……P.*\.:…`mP………….
2013-02-03 21:49:45.264212 IP 64.235.43.131.80 > 172.16.253.130.1066: Flags [P.], seq 1:169, ack 73, win 64240, length 168: HTTP: HTTP/1.1 200 OK
E…[L……@.+……P.*\.:…`mP…>…HTTP/1.1 200 OK
Date: Mon, 09 Sep 2013 00:39:31 GMT
Server: Apache/2.4.4 (Win32) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 1
Content-Type: text/html

0
2013-02-03 21:49:45.342001 IP 172.16.253.130 > 224.0.0.22: igmp v3 report, 1 group record(s)
F..(.>………………”……………
2013-02-03 21:49:45.364096 IP 64.235.43.131.80 > 172.16.253.130.1066: Flags [P.], seq 1:169, ack 73, win 64240, length 168: HTTP: HTTP/1.1 200 OK
E…[M……@.+……P.*\.:…`mP…>…HTTP/1.1 200 OK
Date: Mon, 09 Sep 2013 00:39:31 GMT
Server: Apache/2.4.4 (Win32) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 1
Content-Type: text/html

0

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *