darkstealer | 729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6

General

Target

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
Size

1.7MB
MD5

caea94dab0c8720bd97447d7f9e1ecb8
SHA1

f3eb2519d75901b6c8fc6107bd354b013e6a0b71
SHA256

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6
SHA512

7752ae0ca4cece6e444af17c50c5cd2226f4c051674286529bf23c4e9f540455e54d969ab2988a7c580beb88be515bf59494b81516a3f9faafe6514123f9ecdb

Score

10^/10

darkstealer echelon backdoor bootkit collection discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Darkstealer
Darkstealer is a file grabber, data stealer, and RAT.
trojan backdoor darkstealer
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Echelon - DarkStealer Fork 2 IoCs

Payload resembles modified variant of Echelon Stealer called DarkStealer.

stealer

Processes:

resource	yara_rule
behavioral2/memory/3452-131-0x0000000000400000-0x00000000007B2000-memory.dmp	echelon_darkstealer
behavioral2/memory/3452-132-0x0000000000400000-0x00000000007B2000-memory.dmp	echelon_darkstealer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

pid	Process
3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5060	3452	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

pid	Process
3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	pid	Process
Token: SeDebugPrivilege	3452	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

outlook_office_path 1 IoCs

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

outlook_win_path 1 IoCs

Processes:

729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe

C:\Users\Admin\AppData\Local\Temp\729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe
"C:\Users\Admin\AppData\Local\Temp\729e19020c7b7a3d9bc9f9bdbb69fc32351ade4228e08ebb04de2da5e6b4bdf6.exe"
1⤵
- Identifies Wine through registry keys
- Accesses Microsoft Outlook profiles
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1984
  2⤵
  - Program crash
  PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3452 -ip 3452
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3452-130-0x0000000077620000-0x00000000777C3000-memory.dmp

Filesize
1.6MB

Download
memory/3452-131-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/3452-132-0x0000000000400000-0x00000000007B2000-memory.dmp

Filesize
3.7MB

Download
memory/3452-133-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/3452-134-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/3452-135-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/3452-136-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads