darktrack | 3682f63442374a284f1b5f996da477f3cf024ffd5fa5f2bf064ef80136b81a04

Analysis

max time kernel
297s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar_Gold/QuasarRAT.exe
Size

11.9MB
MD5

44b8fdbeac92e1b2e88085e33a296ac7
SHA1

120aff91f77e433a303288da47fcd8ccd9a62351
SHA256

a60c958fa5dda06d5b7e2002308d2398f3904d57488666ebc79932a041d40202
SHA512

293cb19c7ddc51092d5077dce39cc38426ca949006d160fc0b414b252c6fbeb01caffddebb7c8d1a4ab2284c3d8c020cbdeb121dedda4882f53d33a8c8b18778
SSDEEP

98304:/ZhqMpBUxERZSu66QVWqkLkUSYPVQarBN:/Z0MpB5/BDlF

Score

10^/10

darktrack persistence rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 15 IoCs

resource	yara_rule
behavioral23/memory/2984-18-0x0000000004C90000-0x0000000004D4A000-memory.dmp	family_darktrack
behavioral23/memory/2264-19-0x000000001B7B0000-0x000000001B830000-memory.dmp	family_darktrack
behavioral23/memory/576-43-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-49-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-52-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-53-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-54-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-57-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-58-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-59-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-60-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-50-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-47-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-48-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral23/memory/576-45-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Executes dropped EXE 3 IoCs

pid	Process
2984	crypt.exe
2264	quasar golden edition.exe
2560	WinReg32.exe

Loads dropped DLL 4 IoCs

pid	Process
1712	QuasarRAT.exe
1712	QuasarRAT.exe
2984	crypt.exe
2560	WinReg32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\WinReg32.lnk"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 576	2560	WinReg32.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
576	cvtres.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2984	1712	QuasarRAT.exe	28
PID 1712 wrote to memory of 2984	1712	QuasarRAT.exe	28
PID 1712 wrote to memory of 2984	1712	QuasarRAT.exe	28
PID 1712 wrote to memory of 2984	1712	QuasarRAT.exe	28
PID 1712 wrote to memory of 2264	1712	QuasarRAT.exe	29
PID 1712 wrote to memory of 2264	1712	QuasarRAT.exe	29
PID 1712 wrote to memory of 2264	1712	QuasarRAT.exe	29
PID 1712 wrote to memory of 2264	1712	QuasarRAT.exe	29
PID 2984 wrote to memory of 2560	2984	crypt.exe	30
PID 2984 wrote to memory of 2560	2984	crypt.exe	30
PID 2984 wrote to memory of 2560	2984	crypt.exe	30
PID 2984 wrote to memory of 2560	2984	crypt.exe	30
PID 2560 wrote to memory of 2932	2560	WinReg32.exe	31
PID 2560 wrote to memory of 2932	2560	WinReg32.exe	31
PID 2560 wrote to memory of 2932	2560	WinReg32.exe	31
PID 2560 wrote to memory of 2932	2560	WinReg32.exe	31
PID 2932 wrote to memory of 1172	2932	cmd.exe	33
PID 2932 wrote to memory of 1172	2932	cmd.exe	33
PID 2932 wrote to memory of 1172	2932	cmd.exe	33
PID 2932 wrote to memory of 1172	2932	cmd.exe	33
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34
PID 2560 wrote to memory of 576	2560	WinReg32.exe	34

C:\Users\Admin\AppData\Local\Temp\Quasar_Gold\QuasarRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar_Gold\QuasarRAT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\crypt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe" -n
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.lnk" /f
        5⤵
        Adds Run key to start application
        
        PID:1172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:576
- C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe
  "C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe"
  2⤵
  - Executes dropped EXE
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
869KB

MD5
245468fca16ae49742f45a95ce4d5a8a

SHA1
b8b77c9d0b1b9a8bbfee75cd7c3b5c0e04b7e3b2

SHA256
3254a31f92cf401165691c882186768b4a8d1a958e55a11fb50447d5f5d37599

SHA512
0432027fcc54c6e51529820bee810c552e006382d71b37a09de80261163f7c6becb0de2ee0dce9a54c1291bb47e0961160a5957ec2fa98e88e339c6f56ff7041

Download Submit
C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe

Filesize
448KB

MD5
fc67d1c1a7ef2b879da2cbe4e4bb02f9

SHA1
6b2b9814891d18b8fa885bca0dcc634a48dea495

SHA256
319036fbdf822e25a0f651ab3af22b0c1be632392da66309430a17915320a38f

SHA512
3ebf22e6615807a2d7e70e1b9743d1057011e62b0bbd6ed69d6c97bbb9dab7ccf1febbfc31a5e1c65a00a2de2850dd5beb8d7423f7f02a3b3216a55b71c6cc3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe

Filesize
448KB

MD5
fb619f3df9e2af1c96cf416fcb60dfbe

SHA1
57d860ee02fdb208a7275259f6fe92f4343f74d8

SHA256
324f79daa3b0f38aeaf00c76d8527ec4bb6223320ad3f7c03778307f2fbfda1a

SHA512
03a88cd4429890235f71bc8e542c2d1d85f39f4c23dddb48d3bc43bbac4b29b5fec303ea221e75edd9a81595b428936d7f0deafb73135da235e65f0a976f8c36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe

Filesize
512KB

MD5
6d1c194b2ebbd0495ebf4ee4dbbb548f

SHA1
815eb5ad86eae2d806dc0c6f2f2f136f581040c9

SHA256
da0aa339ebb793f81aa0dbf7e15836cb2ace1d86a716a6040f7016fa2fc3209a

SHA512
42de2db18f99857d7f3b839c396068732a04555b0fbc2f170a466f77268578b0837ec2d5bcdbd060e2ca67dde9671f8acb4af52cda61f742c6aa3edc41a7a022

Download Submit
\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
704KB

MD5
2dcb3199f7d6068e9bbab31050570467

SHA1
b64d597c1f348ff81b1f954a2e72b1e5bea3648f

SHA256
55f126dc25741f1a5c1e7d5697697ce39dbc11d07f654cf31a5c64068cb4f52d

SHA512
7db90e37468e890bdd3b2ce288babff8fd832e773afaa6fcbc6544945bca7a46395dbb62c26cdc22fa08f48af4d7d39bb25998d40d1261390dbf28179bd817fc

Download Submit
\Users\Admin\AppData\Local\Temp\quasar golden edition.exe

Filesize
192KB

MD5
ce06dc1f407780b8a88523da09c55a93

SHA1
c8c9b7949cea2848eb60f08d31ee62e184bc189b

SHA256
b49bb55e3796861470410b477de32ab7cb6f1922cab24580a16464ead48ec624

SHA512
344125ce69215f9ce61f4ea615167674e741a40c98b1008041e23798a649c9047d8cdf9d1355f157cd8b251cc31e5a4bad5a193eff72039b24f843e92dc53a90

Download Submit
memory/576-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-50-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-41-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-42-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-45-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-48-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-47-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-59-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-57-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-54-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-51-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/576-53-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-52-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-43-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-49-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2264-61-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-37-0x000000001B7B0000-0x000000001B830000-memory.dmp

Filesize
512KB

Download
memory/2264-63-0x000000001B7B0000-0x000000001B830000-memory.dmp

Filesize
512KB

Download
memory/2264-62-0x000000001B7B0000-0x000000001B830000-memory.dmp

Filesize
512KB

Download
memory/2264-16-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2264-15-0x0000000000A70000-0x000000000157A000-memory.dmp

Filesize
11.0MB

Download
memory/2264-19-0x000000001B7B0000-0x000000001B830000-memory.dmp

Filesize
512KB

Download
memory/2560-39-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/2560-55-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-38-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/2560-30-0x0000000000930000-0x0000000000A0E000-memory.dmp

Filesize
888KB

Download
memory/2560-32-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2560-31-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-14-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-18-0x0000000004C90000-0x0000000004D4A000-memory.dmp

Filesize
744KB

Download
memory/2984-17-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2984-13-0x0000000000270000-0x000000000034E000-memory.dmp

Filesize
888KB

Download
memory/2984-33-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads