Malware analysis 2 Darktrack Rat.rar Malicious activity

Add for printing

File name:	2 Darktrack Rat.rar
Full analysis:	https://app.any.run/tasks/78096359-6374-41bf-aed0-33edc8a805b6
Verdict:	Malicious activity
Analysis date:	July 18, 2024, 23:24:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	aspack
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C120E5D923F5176CA110A342C6D8C233
SHA1:	439D3122860CC12532B54C577A08BB18FC851183
SHA256:	6A1E261BAA6948ADF079CDAE0D68FF0950A7EE288EA0FBC8191E5D0B8249E3B3
SSDEEP:	196608:L97sFgpZQVyJZUoasF0z6HYvH5I4nA7MN:xqgnQ4Zl70z6HYP5I4+k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Scans artifacts that could help determine the target
  - Darktrack 4 Alien RC.exe (PID: 1164)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Darktrack 4 Alien RC.exe (PID: 1164)
- There is functionality for communication over UDP network (YARA)
  - Darktrack 4 Alien RC.exe (PID: 1164)
- There is functionality for taking screenshot (YARA)
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads Microsoft Outlook installation path
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Checks Windows Trust Settings
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads Internet Explorer settings
  - Darktrack 4 Alien RC.exe (PID: 1164)
INFO
- Manual execution by a user
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads the computer name
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 7268)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7268)
- Checks supported languages
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Checks proxy server information
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Aspack has been detected
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Process checks Internet Explorer phishing filters
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads the machine GUID from the registry
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Creates files or folders in the user directory
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads the software policy settings
  - Darktrack 4 Alien RC.exe (PID: 1164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

122

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1164

"C:\Users\admin\Desktop\2 Darktrack Rat\Darktrack 4 Alien RC.exe"

C:\Users\admin\Desktop\2 Darktrack Rat\Darktrack 4 Alien RC.exe

explorer.exe

User:

admin

Company:

Darktrack

Integrity Level:

MEDIUM

Description:

Remote Administration Tool

Exit code:

Version:

4.0.0.0

Modules

Images
c:\users\admin\desktop\2 darktrack rat\darktrack 4 alien rc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1832

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

7268

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2 Darktrack Rat.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7320

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

8 319

Read events

8 285

Write events

Delete events

Modification events


(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\2 Darktrack Rat.rar
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1300000062000000D30300004B020000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Modules\ffmpeg.exe		executable
		MD5:F25EEF8A89531E8A78340B2A682D6047	SHA256:1ABEE4A7DBE8F624290054C14EF7B58DB19E93DF976C2ADB8FF4BD20974C3A78
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Darktrack 4 Alien RC.exe		executable
		MD5:7AFC28B47371FA3488352CD8C3EA818F	SHA256:51C0BA723E062C9E65544B37DAFE7765BA0E56AA8F533915B3639E2649A81B65
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\sqlite3.dll		executable
		MD5:A2EBA4B5199074DBE91FAE77E1050D8A	SHA256:629FD65A87D6D08503E45348ECC7C337F4921F35E47356E8FAB6F3007039C280
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\settings.ini		text
		MD5:431C6D9B980772E961AA2AC82C18D73D	SHA256:4646687B3E292EF6A32A3D91B34D1D37617CAE13E488D4D3DE853332064ACD42
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Profiles\DuckDNS		text
		MD5:8B005994814CEBA9A8C2F47DC683366F	SHA256:253EFC0D11B53266D966D43349BADF83AB97483F97A9F928792D701E892CD6CE
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Profiles\ScanFor		text
		MD5:0667371BB521CA441BFA5C54F6302832	SHA256:527338896D53D202618FCBA40707A73B779BF3A417BA2237967F997D704AE229
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Data\DataBase.db		sqlite
		MD5:AFDA8CB7D24C955C6A9D283D03B21362	SHA256:2BC07101CCBD9AED85C7BBADE188BBC1D2E32DA5A146D6D4A71E414DDCA8CFB2
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Compressors\upx.exe		executable
		MD5:308F709A8F01371A6DD088A793E65A5F	SHA256:C0F9FAFFDF14AB2C853880457BE19A237B10F8986755F184ECFE21670076CB35
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB		binary
		MD5:67207ECC37EF78FA53F446F112D7A9AF	SHA256:FA5237951F90A4322059EE414342848472D8BB43F6569DB63D1D7A08B1DC61C4
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\0hByqnu6-Z4[1].htm		html
		MD5:4DA7ED98EE7C19CF15EEF24F50DF707B	SHA256:F5006B4C9BF67A074CF0EEBC2C21224D8A2E2475E4AD70D92D062719ACC65363

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1164	Darktrack 4 Alien RC.exe	GET	200	142.250.186.67:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
1164	Darktrack 4 Alien RC.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
1164	Darktrack 4 Alien RC.exe	GET	200	142.250.185.227:80	http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94	unknown	—	—	whitelisted
—	—	GET	200	142.250.185.227:80	http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHViWUaptL4MEEkSmq4OScg%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.32.198:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5968	backgroundTaskHost.exe	20.31.169.57:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3384	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7856	svchost.exe	4.209.33.156:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
arc.msn.com	20.223.35.26	whitelisted
login.live.com	40.126.32.138 40.126.32.74 20.190.160.20 40.126.32.133 40.126.32.136 40.126.32.72 40.126.32.134 40.126.32.76	whitelisted
google.com	142.250.181.238	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
licensing.mp.microsoft.com	4.209.33.156	whitelisted
www.youtube.com	216.58.206.46 142.250.186.142 142.250.185.142 216.58.206.78 142.250.186.110 142.250.185.174 142.250.185.206 142.250.185.110 142.250.185.78 142.250.185.238 142.250.184.238 216.58.212.174 142.250.186.78 142.250.74.206 172.217.16.206 172.217.18.14	whitelisted
ocsp.pki.goog	142.250.186.67	whitelisted
c.pki.goog	172.217.16.131	whitelisted
o.pki.goog	142.250.185.227	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

2 Darktrack Rat.rar

C120E5D923F5176CA110A342C6D8C233

439D3122860CC12532B54C577A08BB18FC851183

6A1E261BAA6948ADF079CDAE0D68FF0950A7EE288EA0FBC8191E5D0B8249E3B3

196608:L97sFgpZQVyJZUoasF0z6HYvH5I4nA7MN:xqgnQ4Zl70z6HYP5I4+k

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Reads security settings of Internet Explorer

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

Reads Internet Explorer settings

INFO

Manual execution by a user

Reads the computer name

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Checks supported languages

Checks proxy server information

Aspack has been detected

Process checks Internet Explorer phishing filters

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings