Unveiling DarkComet: In‑Depth Static & Dynamic Analysis of a Delphi RAT

Theoretical Foundations

Trojan malware can be categorized into several types:

Remote‑control RATs that allow attackers to monitor, manipulate files, and launch network attacks.

Password‑stealing trojans that capture keystrokes or screenshots to obtain credentials.

Phishing trojans that masquerade as legitimate services to harvest sensitive data.

Ransomware trojans that encrypt user files and demand payment for decryption.

Downloader trojans that fetch additional malicious payloads such as adware.

Basic Static Analysis

The examined sample is a relatively small executable without a digital signature. Visual inspection reveals it was compiled with the Delphi programming language, a legacy environment still used in some older internal tools.

Further inspection shows the binary does not depend on external DLLs, indicating that most malicious functionality is self‑contained within the EXE.

Dynamic Analysis

1. Hidden Startup

When executed, the malware first renames the original file to ._cache_恶意样本.exe (a hidden cache file) and then runs the infected executable, keeping the original version hidden.

2. File Dropping

The sample creates a dedicated folder and drops additional files required for its operation.

3. Registry Auto‑Run

It writes an entry under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

to achieve persistence on system boot.

4. Program Launch

The malware executes a batch file that launches three auxiliary applications.

5. QQ Information Query & SMS Bombing

One of the launched components claims to query QQ‑related data and perform SMS‑bombing against specified phone numbers by repeatedly registering the numbers on targeted domains.

Functional Analysis

1. Infection Propagation

The trojan scans the user's Desktop, Downloads, and Documents folders for executable files, checks for specific sections (EXEVSNX or EXERESX), and infects matching binaries to spread laterally.

2. Hidden File Attribute

It invokes the Windows API SetFileAttributesA to mark its files as hidden, preventing casual discovery.

3. Environment Information Gathering

The malware collects system and hardware details from the infected host and uploads them to a command‑and‑control server.

4. Keylogging

Using SetWindowsHookExA, it injects a hook to capture keystrokes and forwards the logged data to the attacker.

5. Email Exfiltration

The sample uses Delphi’s built‑in mail library to send collected information via SMTP (smtp.gmail.com) to the address [email protected].

Extracted Indicators of Compromise (IOCs)

The analysis identified the following malicious IOCs:

Domain: xred.mooo.com IP address:

124.222.126.226

Mitigation & Remediation Recommendations

Preventive Advice

Avoid downloading or executing unknown applications from the internet or social platforms.

Install reputable antivirus software and keep its signatures up to date.

Verify file size and digital signatures before running installers, or scan them with an anti‑malware tool.

Remediation Steps

Run a full system scan with an updated antivirus solution to detect and clean infected files.

Manually remove the registry Run entry that launches the malicious program and terminate its process.

Search the Desktop, Downloads, and Documents directories for executables containing the EXEVSNX or EXERESX sections; delete any matches. Alternatively, reveal hidden files and delete those prefixed with ._cache_.