darktrack

General

Target

2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189
Size

1.8MB
Sample

240620-msdfwaxcnr
MD5

55a505b3a045610c58e1812790dff7db
SHA1

370436540a97bffb1207b55cc2839ba67b4efe05
SHA256

2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189
SHA512

411c57b4087d7fafce246a3dd3bfd52b93afff129879e948fdfb5b2697971ae0cf343a3f8f2cfaa2b6b73f882d50859133a4ae574e1f8210590411e944172fe0
SSDEEP

49152:h/e3WpjfM3CNz8mPL0VzKV9rRJ9pwnHVL6Q6Dg:h/p1hHDjJ9+nH96Bs

Score

10^/10

Malware Config

Targets

- Target
  
  2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189
- Size
  
  1.8MB
- MD5
  
  55a505b3a045610c58e1812790dff7db
- SHA1
  
  370436540a97bffb1207b55cc2839ba67b4efe05
- SHA256
  
  2fb19586318b7dfd7bbacca8bc49682ce2ac842d72f70348715b12a7e2d9e189
- SHA512
  
  411c57b4087d7fafce246a3dd3bfd52b93afff129879e948fdfb5b2697971ae0cf343a3f8f2cfaa2b6b73f882d50859133a4ae574e1f8210590411e944172fe0
- SSDEEP
  
  49152:h/e3WpjfM3CNz8mPL0VzKV9rRJ9pwnHVL6Q6Dg:h/p1hHDjJ9+nH96Bs
Score

10^/10

execution persistence darktrack rat stealer upx
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $TEMP/putin_hyilo.exe
- Size
  
  176KB
- MD5
  
  df5671afa8a8170a515c589e1b342d52
- SHA1
  
  ae327ecd6f312f5860fe35bacfa36cb9768852bb
- SHA256
  
  6e9d23e7b4a677651ccb362fa6833ca13deef184a45a801cb1d7d1f542210809
- SHA512
  
  156499f5e8a28206450e5946d26e12b3da589fb8972cdb85a2beef6f09943f8de5f40938ed402cbe661f4a3c24554f807755c29d2ef8b2a083c5e86d2faf108b
- SSDEEP
  
  3072:yHwrxmMpvDITZg1Sa5GWp1icKAArDZz4N9GhbkrNEk1RIir:trMZ0p0yN90QEeIq
Score

10^/10

darktrack execution persistence rat stealer upx
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack payload
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3
- Target
  
  $TEMP/trudovaya_kniga.docx
- Size
  
  1.5MB
- MD5
  
  789497a9ff0bd7df99aa662f512c6856
- SHA1
  
  f69cec1046f8e59983fd8cfcae867926495fadd6
- SHA256
  
  8646226f4b2b2b96d5e31d4daae0ac5484edc2a7759297e0f63a06358ea61a38
- SHA512
  
  71442dec98b3ec16f94ec07380087370c72a48532398f893a9324081f7560f7c620b549770b97356fe5400f6ef7e4935b6339d477298be13966c06f1f5065205
- SSDEEP
  
  49152:H+mxBf5HVPjLYdqN5/11ybKbzM1yZyidw0V5Ufzpct/rmmrx:ljRVPhN5/11ybazXIDlQbx
Score

4^/10
behavioral4 behavioral5