General
-
Target
68deb5c95c8ff149f14bb53a004caf6dc67054e4cc758c5a21f07e670dcc95ea
-
Size
14.5MB
-
Sample
220319-yqd56shdf2
-
MD5
235d5a2a69018bda970d548c0b85f755
-
SHA1
247f66146ee71896b062d4b60d9c515b6cfbc20e
-
SHA256
68deb5c95c8ff149f14bb53a004caf6dc67054e4cc758c5a21f07e670dcc95ea
-
SHA512
99da8a7ed9a46ead43d9ab655a10e4ab993055d2fdb5b198516406bcd22082337301787130abdd61b3c09b6ad7ea249a453c9d09871b53f165302dff13aa074e
Malware Config
Targets
-
-
Target
68deb5c95c8ff149f14bb53a004caf6dc67054e4cc758c5a21f07e670dcc95ea
-
Size
14.5MB
-
MD5
235d5a2a69018bda970d548c0b85f755
-
SHA1
247f66146ee71896b062d4b60d9c515b6cfbc20e
-
SHA256
68deb5c95c8ff149f14bb53a004caf6dc67054e4cc758c5a21f07e670dcc95ea
-
SHA512
99da8a7ed9a46ead43d9ab655a10e4ab993055d2fdb5b198516406bcd22082337301787130abdd61b3c09b6ad7ea249a453c9d09871b53f165302dff13aa074e
Score10/10-
DarkTrack
DarkTrack is a remote administration tool written in delphi.
-
DarkTrack Payload
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Turns off Windows Defender SpyNet reporting
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Disabling Security Tools
4Virtualization/Sandbox Evasion
2