darktrack | dab16f86762edfad407ad17ff640eeaf0b92ef8da877d81e07c90690d142df88

Analysis

Target

ED7251FADEB9BD2A8836828F2E1B6F83.exe
Size

992KB
MD5

ed7251fadeb9bd2a8836828f2e1b6f83
SHA1

ab41a68d76147bfdb3d5ff36ae0e992e4e5b7c84
SHA256

dab16f86762edfad407ad17ff640eeaf0b92ef8da877d81e07c90690d142df88
SHA512

afd69b80a2dc68bd4b2aac2850504c6dde1e43fe19f0cfc16283814ce362aaccfe9a2023357bcd55d5f3ea2da013b80309d223fe0235788b3a1265d8f4e637d0

Score

10^/10

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2380-115-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/2380-117-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

ED7251FADEB9BD2A8836828F2E1B6F83.exe

description pid process target process

PID 4024 set thread context of 2380 4024 ED7251FADEB9BD2A8836828F2E1B6F83.exe ED7251FADEB9BD2A8836828F2E1B6F83.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ED7251FADEB9BD2A8836828F2E1B6F83.exe

pid process

2380 ED7251FADEB9BD2A8836828F2E1B6F83.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ED7251FADEB9BD2A8836828F2E1B6F83.exe

description pid process

Token: SeDebugPrivilege 4024 ED7251FADEB9BD2A8836828F2E1B6F83.exe

description	pid	process	target process
PID 4024 set thread context of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe

pid	process
2380	ED7251FADEB9BD2A8836828F2E1B6F83.exe

description	pid	process
Token: SeDebugPrivilege	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ED7251FADEB9BD2A8836828F2E1B6F83.exe

description	pid	process	target process
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe
PID 4024 wrote to memory of 2380	4024	ED7251FADEB9BD2A8836828F2E1B6F83.exe	ED7251FADEB9BD2A8836828F2E1B6F83.exe

C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
"C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
  C:\Users\Admin\AppData\Local\Temp\ED7251FADEB9BD2A8836828F2E1B6F83.exe
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2380

memory/2380-115-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2380-116-0x00000000004A6880-mapping.dmp

Download
memory/2380-117-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4024-114-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download