darktrack | 1f5e2e15e2d09dd85380f2bd361d27f6dbd4c8c7f6fe270a54df1bfe3ba853c3 | Triage

Submit
Reports

Overview

overview

Static

static

3

Elsa.exe

windows10-2004-x64

Sharing

General

Target

Elsa.exe
Size

1.7MB
Sample

240925-qpr2msxfkp
MD5

357b90b97177f4c2689266f47a99ae74
SHA1

8d4fd39a6dc65fb080b38f7907f256c2e6bcff2b
SHA256

1f5e2e15e2d09dd85380f2bd361d27f6dbd4c8c7f6fe270a54df1bfe3ba853c3
SHA512

f6b19de06515536eec9e06a4c7de0359ebb6b3a2ce1d98fd51f49dcfb7e37ed57bbb3f642701b2d3712ee5c1438fa4009e703de721c4957b7e70f2f2919806d1
SSDEEP

3072:tahKyd2n31G5vWp1icKAArDZz4N9GhbkENEk3b:tahOXp0yN90vE

Score

10^/10

darktrack discovery execution persistence rat stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Elsa.exe

Resource

win10v2004-20240802-en

darktrack discovery execution persistence rat stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  Elsa.exe
- Size
  
  1.7MB
- MD5
  
  357b90b97177f4c2689266f47a99ae74
- SHA1
  
  8d4fd39a6dc65fb080b38f7907f256c2e6bcff2b
- SHA256
  
  1f5e2e15e2d09dd85380f2bd361d27f6dbd4c8c7f6fe270a54df1bfe3ba853c3
- SHA512
  
  f6b19de06515536eec9e06a4c7de0359ebb6b3a2ce1d98fd51f49dcfb7e37ed57bbb3f642701b2d3712ee5c1438fa4009e703de721c4957b7e70f2f2919806d1
- SSDEEP
  
  3072:tahKyd2n31G5vWp1icKAArDZz4N9GhbkENEk3b:tahOXp0yN90vE
Score

10^/10

darktrack discovery execution persistence rat stealer
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack payload
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

darktrackdiscoveryexecutionpersistenceratstealer

© 2018-2024

Terms | Privacy