88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427

General
Target

88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe

Filesize

759KB

Completed

28-02-2021 07:25

Score
10 /10
MD5

bddd8db7b2653b2282eef20419a63042

SHA1

e9c7576c0329d48b1803f87af64b5f71f7fe7143

SHA256

88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427

Malware Config
Signatures 6

Filter: none

  • DarkTrack

    Description

    DarkTrack is a remote administration tool written in delphi.

  • DarkTrack Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/756-4-0x0000000000400000-0x00000000004A4000-memory.dmpfamily_darktrack
    behavioral2/memory/756-5-0x00000000004605D8-mapping.dmpfamily_darktrack
    behavioral2/memory/756-6-0x0000000000400000-0x00000000004A4000-memory.dmpfamily_darktrack
  • Suspicious use of SetThreadContext
    88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 640 set thread context of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
  • Suspicious behavior: GetForegroundWindowSpam
    88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe

    Reported IOCs

    pidprocess
    75688cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
  • Suspicious use of SetWindowsHookEx
    88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe

    Reported IOCs

    pidprocess
    64088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
  • Suspicious use of WriteProcessMemory
    88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    PID 640 wrote to memory of 75664088cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
    "C:\Users\Admin\AppData\Local\Temp\88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe"
    Suspicious use of SetThreadContext
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe
      "C:\Users\Admin\AppData\Local\Temp\88cabbf4309f6b749bc21ebd4e780d445ae427014413db0c5b752e734cfca427.exe"
      Suspicious behavior: GetForegroundWindowSpam
      PID:756
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/756-4-0x0000000000400000-0x00000000004A4000-memory.dmp

                          • memory/756-5-0x00000000004605D8-mapping.dmp

                          • memory/756-6-0x0000000000400000-0x00000000004A4000-memory.dmp