darktrack | 3682f63442374a284f1b5f996da477f3cf024ffd5fa5f2bf064ef80136b81a04

Analysis

max time kernel
301s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar_Gold/QuasarRAT.exe
Size

11.9MB
MD5

44b8fdbeac92e1b2e88085e33a296ac7
SHA1

120aff91f77e433a303288da47fcd8ccd9a62351
SHA256

a60c958fa5dda06d5b7e2002308d2398f3904d57488666ebc79932a041d40202
SHA512

293cb19c7ddc51092d5077dce39cc38426ca949006d160fc0b414b252c6fbeb01caffddebb7c8d1a4ab2284c3d8c020cbdeb121dedda4882f53d33a8c8b18778
SSDEEP

98304:/ZhqMpBUxERZSu66QVWqkLkUSYPVQarBN:/Z0MpB5/BDlF

Score

10^/10

darktrack persistence rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 10 IoCs

resource	yara_rule
behavioral24/memory/724-34-0x0000000005060000-0x000000000511A000-memory.dmp	family_darktrack
behavioral24/memory/4444-57-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-60-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-61-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-62-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-56-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-64-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-65-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-63-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral24/memory/4444-68-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	QuasarRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	crypt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WinReg32.exe

Executes dropped EXE 3 IoCs

pid	Process
724	crypt.exe
928	quasar golden edition.exe
4708	WinReg32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\WinReg32.lnk"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 4444	4708	WinReg32.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	QuasarRAT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	cvtres.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 724	5044	QuasarRAT.exe	88
PID 5044 wrote to memory of 724	5044	QuasarRAT.exe	88
PID 5044 wrote to memory of 724	5044	QuasarRAT.exe	88
PID 5044 wrote to memory of 928	5044	QuasarRAT.exe	89
PID 5044 wrote to memory of 928	5044	QuasarRAT.exe	89
PID 724 wrote to memory of 4708	724	crypt.exe	91
PID 724 wrote to memory of 4708	724	crypt.exe	91
PID 724 wrote to memory of 4708	724	crypt.exe	91
PID 4708 wrote to memory of 2384	4708	WinReg32.exe	92
PID 4708 wrote to memory of 2384	4708	WinReg32.exe	92
PID 4708 wrote to memory of 2384	4708	WinReg32.exe	92
PID 2384 wrote to memory of 3380	2384	cmd.exe	94
PID 2384 wrote to memory of 3380	2384	cmd.exe	94
PID 2384 wrote to memory of 3380	2384	cmd.exe	94
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97
PID 4708 wrote to memory of 4444	4708	WinReg32.exe	97

C:\Users\Admin\AppData\Local\Temp\Quasar_Gold\QuasarRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Quasar_Gold\QuasarRAT.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\crypt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.exe" -n
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\WinReg32.lnk" /f
        5⤵
        Adds Run key to start application
        
        PID:3380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:4444
- C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe
  "C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe"
  2⤵
  - Executes dropped EXE
  PID:928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crypt.exe

Filesize
869KB

MD5
245468fca16ae49742f45a95ce4d5a8a

SHA1
b8b77c9d0b1b9a8bbfee75cd7c3b5c0e04b7e3b2

SHA256
3254a31f92cf401165691c882186768b4a8d1a958e55a11fb50447d5f5d37599

SHA512
0432027fcc54c6e51529820bee810c552e006382d71b37a09de80261163f7c6becb0de2ee0dce9a54c1291bb47e0961160a5957ec2fa98e88e339c6f56ff7041

Download Submit
C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe

Filesize
6.1MB

MD5
84aee0785362d1d25a26b132e01bab38

SHA1
2c90dc8f96105edf3825f0eec611173f3ce7ac8b

SHA256
94e477c4b2eac2bd3f9c34a83d8040b0f25e470e3290dd460080982d035f5f09

SHA512
8ed2a14685e1280ade0e0d68b9394305589f1a376fd00ac41eb74b34bd7101f15d291f4ccde1724eba1eebda2dcb58b07745d10f63f48248be994ba5e6776155

Download Submit
C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe

Filesize
5.6MB

MD5
41ceefa513093604974422256b85724b

SHA1
91e5de7d157899b431500977d85cb1f63eeb1ce6

SHA256
16b44e696bddab2f16c3dd57852848d75b799528cdd812ec2fad863c8c842b25

SHA512
ef287abf273853a55f041803ac4ed50645dad3f380bbe10f64562ffacd32b47a75f8d1b982f0b7329e5b13a35aed956297be0fa425865532bfb287d24dc03768

Download Submit
C:\Users\Admin\AppData\Local\Temp\quasar golden edition.exe

Filesize
5.6MB

MD5
15a06154b837a193e0f494f2ba6eaf72

SHA1
64807d72546384789048164b7b6318aa0ce6f85c

SHA256
1b7c48ab2c256ea2e13bf45f5018e7351cbbdac97baa5a9eddab7be7337e0c49

SHA512
6d962f222dac73fa2f1bed5f4a8c54a5c9e98e3bf19e5bbf0e414900e969aaa6f52066e9286596a7da719615670cac65bbcd13d3398d656136d5119eaeca720b

Download Submit
memory/724-34-0x0000000005060000-0x000000000511A000-memory.dmp

Filesize
744KB

Download
memory/724-29-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/724-24-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/724-51-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/724-26-0x00000000001A0000-0x000000000027E000-memory.dmp

Filesize
888KB

Download
memory/724-27-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/724-28-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/724-33-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/724-30-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/724-31-0x0000000004D20000-0x0000000004D2A000-memory.dmp

Filesize
40KB

Download
memory/724-32-0x0000000004F90000-0x0000000004FE6000-memory.dmp

Filesize
344KB

Download
memory/928-23-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/928-22-0x0000028668FB0000-0x0000028669ABA000-memory.dmp

Filesize
11.0MB

Download
memory/928-67-0x000002866C140000-0x000002866C150000-memory.dmp

Filesize
64KB

Download
memory/928-25-0x000002866C140000-0x000002866C150000-memory.dmp

Filesize
64KB

Download
memory/928-66-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

Filesize
10.8MB

Download
memory/4444-56-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-57-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-60-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-61-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-63-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4444-68-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4708-59-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/4708-55-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/4708-52-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4708-50-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads