General

  • Target

    Darkv4.1.7z

  • Size

    42.6MB

  • Sample

    241103-mbe85s1lay

  • MD5

    5319b57c6ebb76a52542a2c11988a3cc

  • SHA1

    d31fde33e8039d62cd75a154aa0899d228cf3e50

  • SHA256

    013621409364c858c43808fe5be1e1878d6235b60010b1d8488263ada6a92675

  • SHA512

    339e0ef01be732a1e4dc1e4be954472221ded959d7bf5ebe6e94e3407e7a803810ac0cdae645995eb9668761fc8507993ce5c51aefcd0bb9126f4c3084933c32

  • SSDEEP

    786432:63aCGYL66pjPjdhYDK8SxtpUxiJNjw+3JJvxmUX/kvMK7tMNmZzIXXKEd+L9Ry83:wGYmkLj0CNFJFkI/aMUMuCr0K82ef

Malware Config

Targets

    • Target

      Dark.exe

    • Size

      11.4MB

    • MD5

      44bdfcc9d07ebc6d9ab75a1c6004c6be

    • SHA1

      3c3ac11331cfb01099f8f118a4544650741de925

    • SHA256

      cb5dbb0dffe96076b8817600169e789975d5d531c2828755e01d2ff3fff32444

    • SHA512

      660e0c7c6a47d16cd1c71d09c66c1f1dadaf6f5ff0549de2345b7f8a57d0b3107ab40c9b6a3ffb0fb846d5fc0b549ce73c341d54188b1448353804997cca9c98

    • SSDEEP

      196608:IF3nlCLCUx4DILwTrBnuCxr9MRs3GtZv9gmxHGM/QGtzhcGZgos0WAF1Wjo+ONjy:qXlO8TrBu0Cs09gmxHVz81OwjA+

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks