General

  • Target

    Darkv4.1.zip

  • Size

    44.1MB

  • Sample

    241103-mhdc5a1hnh

  • MD5

    15c742431784bb4928707e08ba7bc50c

  • SHA1

    e970566056ad737f0f4c3b170288be8bb15403cc

  • SHA256

    e6bcbedc2beaecd9340bdacf19820b9a4980cf7da210330b224d33294c11c22e

  • SHA512

    8629b7d3d4bbce8de6d294b8f63bc7b1aaf7934f4e3a1ea1c5ce6f439043ff31c65e89bb9e4f5616ea992fbe47dfe99c0ac978fea4706d8ced3e48049ae17e4f

  • SSDEEP

    786432:7MgXQ9k0AR7jKcK+aee5Ui/JyxFoPZ+YEgLuVy3cj6YyUavF5jBt6PYmqGjybBuN:xQan/I9/UFoP31uGo6cavjBaYWIE21Fq

Malware Config

Targets

    • Target

      Dark.exe

    • Size

      11.4MB

    • MD5

      44bdfcc9d07ebc6d9ab75a1c6004c6be

    • SHA1

      3c3ac11331cfb01099f8f118a4544650741de925

    • SHA256

      cb5dbb0dffe96076b8817600169e789975d5d531c2828755e01d2ff3fff32444

    • SHA512

      660e0c7c6a47d16cd1c71d09c66c1f1dadaf6f5ff0549de2345b7f8a57d0b3107ab40c9b6a3ffb0fb846d5fc0b549ce73c341d54188b1448353804997cca9c98

    • SSDEEP

      196608:IF3nlCLCUx4DILwTrBnuCxr9MRs3GtZv9gmxHGM/QGtzhcGZgos0WAF1Wjo+ONjy:qXlO8TrBu0Cs09gmxHVz81OwjA+

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks