How to recognize Trojan RAT inserted “baby”

To download the RAT and know what the RAT is, see this lesson.

Because many of you asked, today anonyviet.com I wrote this article to guide you in a few ways to know if the RAT you downloaded online has a “baby” attached to it (baby means that the RAT you downloaded has been inserted with a Trojan of your own). sharer, when you run a RAT with a baby, you yourself become a victim).

Any software that runs on your computer has an accompanying process (also known as a process). RAT is no exception, there are software with only 1 process, there are software with 2.3 processes running at the same time. However, with RAT, it has only 1 process

As you can see in the picture, when you run Darkcomet RAT, there is only one process, Darkcomet.exe. Also, there are no processes running with it. But when you run a RAT with “baby” attached, it’s different

You see in the picture that when you run a “baby” version of the RAT, in addition to the Darkcomet.exe process, there is another accompanying process, DARKCOMET.exe. Why is the clean RAT not available, but this RAT does. And yet, when you run the clean version of RAT, it only shows the menu of the RAT, but when you run the “dirty” version, it shows differently.

“Another instance of Darkcomet RAT is running on your system, do you wan’t to load another one?” If the RAT version you downloaded from the internet shows this message with a notice saying that you agree with the author’s rules, condolences, your computer has been infected with a Trojan. Because the Darkcomet RAT you downloaded has been attached to another Darkcomet RAT, the purpose is to turn your computer into a place to distribute RAT.

When you turn off Darkcomet RAT, on Taskmanager, the Darkcomet.exe process will also disappear. However, with the dirty RAT version, when you turn it off, the inserted Trojan still works.

Second, when you download Darkcomet RAT online, usually the RAT executable file is Darkcomet.exe, if you download an unknown RAT version whose executable is Darkcomet.exe.exe, you should delete it immediately.

Third, you use Process Explorer to check. When you run a RAT and see a small process associated with it, check to see if that process is listening on which port and sending data to which IP or host. You right-click the DarkcometRAT process, select Properties, switch to the TCP/IP Tab

I’m running a copy of the RAT that has been inserted with a baby, when I check it, I see that it is remote to IP: 14.176.200.9 with Port 6789. Well, Darkcomet RAT suddenly remote to this IP with this Port, only It is possible that the RAT has been inserted into the baby. Stop deleting =))