darktrack | efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c | Triage

Submit
Reports

Overview

overview

Static

static

efe5c9a880...1c.exe

windows7_x64

efe5c9a880...1c.exe

windows10-2004_x64

Sharing

General

Target

efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
Size

1.1MB
Sample

220313-mrvzjagbap
MD5

ab0dbb40ce1b6355c77ffa790626ac98
SHA1

cb40fe0d6ad103d38e3761d0d5f56e3aebdc80c6
SHA256

efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
SHA512

ee9027cd40d6027f1096f5882a5f42f6d3fb275f80782de63499c5c2e24a9aeccdb5301ae557b3555a58023a121f4ddb59352fa7efee95e2a7e327a1df1c9a2c

Score

10^/10

darktrack hawkeye collection keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c.exe

Resource

win7-20220310-en

darktrack hawkeye collection keylogger persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c.exe

Resource

win10v2004-en-20220113

darktrack persistence rat stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
robertovieira123321@gmail.com
Password:
12345frozen

Targets

- Target
  
  efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
- Size
  
  1.1MB
- MD5
  
  ab0dbb40ce1b6355c77ffa790626ac98
- SHA1
  
  cb40fe0d6ad103d38e3761d0d5f56e3aebdc80c6
- SHA256
  
  efe5c9a880d7e16af450070d3036d5964da8b5115c4b34db48d11ae3770f031c
- SHA512
  
  ee9027cd40d6027f1096f5882a5f42f6d3fb275f80782de63499c5c2e24a9aeccdb5301ae557b3555a58023a121f4ddb59352fa7efee95e2a7e327a1df1c9a2c
Score

10^/10

darktrack hawkeye collection keylogger persistence rat spyware stealer trojan
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack Payload
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darktrackhawkeyecollectionkeyloggerpersistenceratspywarestealertrojan

behavioral2

darktrackpersistenceratstealer

© 2018-2024

Terms | Privacy