darktrack | f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8

General

Target

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
Size

1.8MB
MD5

b8d7e501db694d31599c44c2a11ec36b
SHA1

336aaf0207e6be6826f0e2ca7c7d5198d2619275
SHA256

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8
SHA512

a3ff521b6e2f53f4ea72d5d15fe1c3a982fbf904de730b81120444d8c6bea5d58f1fe9669c90fe8e82e25ad0e38d810b900cdd5fe006e9d7acfd7889cf49e5c3

Score

10^/10

darktrack rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1388-3-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1388-4-0x00000000004635F0-mapping.dmp	family_darktrack
behavioral1/memory/1388-7-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Suspicious use of SetThreadContext 1 IoCs

Processes:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

description	pid	process	target process
PID 1924 set thread context of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

pid process

1388 f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

description pid process

Token: SeDebugPrivilege 1924 f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

pid	process
1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

description	pid	process
Token: SeDebugPrivilege	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exef138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe

description	pid	process	target process
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1924 wrote to memory of 1388	1924	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe
PID 1388 wrote to memory of 1988	1388	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
"C:\Users\Admin\AppData\Local\Temp\f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
  C:\Users\Admin\AppData\Local\Temp\f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8.exe
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-3-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1388-4-0x00000000004635F0-mapping.dmp

Download
memory/1388-7-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1924-6-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1988-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1988-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads