How to detect and remove a Remote Administration Tool (RAT) like DarkComet

In our previous post on DarkComet we explained that the DarkComet tool is a very popular tool among hackers and cybercriminals, so the chance is there that you or your relatives might come in contact with the DarkComet Remote Administration Tool or any other malicious RATs.

There are some genuine RATs available on the internet, a very famous one is the LogMeIn service which is actually a Remote Administration Tool.

This might sound crazy

This might sound crazy, but I strongly urge you to install an antivirus if you are trying to remove and identify malware on your device. The reason why I urge you to use an antivirus is the fact that an antivirus will not only remove the malware from your computer in the right order, it will also prevent any data leakage.

But let’s for a second imagine that your antivirus is unable to identify the DarkComet RAT.

Disconnect the Remote Administration Tool

The first thing which we will do, is to disconnect the device from the internet. We do this as this will guarantee us that the cybercriminal or hacker will not be able to perform further actions in order to stop us from removing the malware from the infected device.

Netstat -A

The next step which we will need to take is the “NETSTAT -a” command in your “CMD Window”. You can start the “CMD” window by navigating to the search option of your device and typing in “CMD”. Once you see the “Command prompt” you can click on it and it will open the “CMD Window” for you.

Now that the CMD window has opened, you will need to provide the following command followed by “ENTER”:

netstat -a

The netstat command will show all the active connections on your device. If you see IP addresses which are still trying to connect to a service, you can write down the IP addresses and search them up on VirusTotal and BGP.

Another good thing to look for is the “1604” port, this port is used by default in the DarkComet RAT setup.

MSCONFIG

The next step which you can perform is the “MSCONFIG” command in your “CMD window”. This command will open up the Microsoft Configuration tool. In this tool you can see which services and application are started once the computer boots. Disable all the services which you do not know.

The last step is to search for the “DC-MUTEX” in your “task manager” window. Navigate to the process tab and search for a process which uses the “DC-MUTEX” signature.

Founder of Cyberwarzone.com.