Overview

overview

10

Static

static

3

Ob-imusche...DF.exe

windows7-x64

10

Ob-imusche...DF.exe

windows10-2004-x64

10

$TEMP/Ob-i...96.pdf

windows7-x64

1

$TEMP/Ob-i...96.pdf

windows10-2004-x64

1

$TEMP/putinpenis.exe

windows7-x64

10

$TEMP/putinpenis.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07062024_1634_06062024_Об имуществе МО 03-4096.PDF.rar

  • Size

    1.4MB

  • Sample

    240607-t3gplsbb4x

  • MD5

    6b453d528fa26e01196beffade094914

  • SHA1

    7ef7c63b25e20940ac68ecbe2b69cb6c38e8f3bf

  • SHA256

    f1149bb09ca48d83ed005113a7c99acee529cb782b5b9fa2d861333efd72cfc5

  • SHA512

    17753aa8abffe6fadb0a4146474cc04ddbc7d9fe3a48b5e8edb97a2d51b9b6e9412e4c3609f171dae81396515ffb089047b2fff2a5b6796e36f69b2a34b2280f

  • SSDEEP

    24576:Bv0nzjktfqPN5Zg4Avo2PMqriACKkOlicVpqoZxDNHYwD3CuNGEt/k3kNwPJTkfU:Bv0zYSPDVun2AHVicVpqqxpHjCGs3kNK

Score
10/10
darktrackratstealerupx

Malware Config

Targets

    • Target

      Ob-imuschestve-03-4096.PDF.exe

    • Size

      1.5MB

    • MD5

      30515ea717c237b124625707b66290ef

    • SHA1

      d3901874b08f3e1d1832232a54ea5be1978f368c

    • SHA256

      36220391efa0de0d81bee5b8d8813b6f2c89e81c78091387d05946e184b967c8

    • SHA512

      f1c01760d41256ed7d110395de852bcf8af46ba267e8a4710e4d2fa9de8a9a2cfe900cefde620da59739d82cb9396646dec00b2558c265cda267862e7fd7250c

    • SSDEEP

      24576:IPdEQwQPcumM/gV1TREX+pU4sScdzazM16z1tV4MIdNoWE7j2kLcwi6pXw5rqJUR:ILwdGgvTRxDcdzZ1ItV0dNoWenLcwiw8

    Score
    10/10
    darktrackratstealerupx

    • DarkTrack

      DarkTrack is a remote administration tool written in delphi.

      ratstealerdarktrack

    • DarkTrack payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $TEMP/Ob-imuschestve-03-4096.pdf

    • Size

      101KB

    • MD5

      3d2b307dd04a2cf0a4b49e2fee1db17a

    • SHA1

      8063e0902d60b37ae37d580a1027360466794ef0

    • SHA256

      01dd6941f22aa1cc7125eadc6179f920cb1661674a52369f0bb4c2fac2884054

    • SHA512

      f95756a2b7979251afb0f49aa7bc9b6a6200430082f4d916da2c515ad9134459404ea3c69a7adcd12051928e9e0bdb13e88b60c5aecdde51b9ec35f7c858f6c9

    • SSDEEP

      1536:rV4AcFpyt2/hT7PL7WkPTo9ZlfKDPTqDtzaU9Xu3cmncIbFFMwF9ul:54AKytaT7uD/uPTGtz3Xu3cmcYze

    Score
    1/10
    behavioral3behavioral4

    • Target

      $TEMP/putinpenis.exe

    • Size

      1.3MB

    • MD5

      f207f15a7dc33fff2fc00662acce13f9

    • SHA1

      72322200bb1a8df47a79588bd380d9cd101fe77d

    • SHA256

      4ac7e33850576a39f771a5e3f9202af814ab087d9f74bd2e6742a27c06f3b397

    • SHA512

      e59b3b733131c80aac55bcc3c8d86995a2fc9cabd501b90bbdb8efbfc7106ff1c380e010d947c19f2b21e8c457a29405e167c21dcbb5e841bc26f26ba54e5b28

    • SSDEEP

      24576:9fLSn7UnBjPIqmUeXv0p4xfpv4yAk4PL7mmIXM9h7gTTbE8Ob7nZbErBsbDntTif:JLneLsM4lkOh7kE8Q7ZQWbLtwd

    Score
    10/10
    darktrackratstealerupx

    • DarkTrack

      DarkTrack is a remote administration tool written in delphi.

      ratstealerdarktrack

    • DarkTrack payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks