DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

Description

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for persistence. The RAT's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs keylogging, storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, DarkComet remains a potent threat, especially when combined with cryptocurrency lures.