Malware analysis 2 Darktrack Rat.rar Malicious activity

Add for printing

File name:	2 Darktrack Rat.rar
Full analysis:	https://app.any.run/tasks/78096359-6374-41bf-aed0-33edc8a805b6
Verdict:	Malicious activity
Analysis date:	July 18, 2024, 23:24:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	aspack
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	C120E5D923F5176CA110A342C6D8C233
SHA1:	439D3122860CC12532B54C577A08BB18FC851183
SHA256:	6A1E261BAA6948ADF079CDAE0D68FF0950A7EE288EA0FBC8191E5D0B8249E3B3
SSDEEP:	196608:L97sFgpZQVyJZUoasF0z6HYvH5I4nA7MN:xqgnQ4Zl70z6HYP5I4+k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Scans artifacts that could help determine the target
  - Darktrack 4 Alien RC.exe (PID: 1164)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads Microsoft Outlook installation path
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Checks Windows Trust Settings
  - Darktrack 4 Alien RC.exe (PID: 1164)
- There is functionality for taking screenshot (YARA)
  - Darktrack 4 Alien RC.exe (PID: 1164)
- There is functionality for communication over UDP network (YARA)
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads Internet Explorer settings
  - Darktrack 4 Alien RC.exe (PID: 1164)
INFO
- Reads the computer name
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Aspack has been detected
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Manual execution by a user
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7268)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 7268)
- Checks supported languages
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Checks proxy server information
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads the machine GUID from the registry
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Reads the software policy settings
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Creates files or folders in the user directory
  - Darktrack 4 Alien RC.exe (PID: 1164)
- Process checks Internet Explorer phishing filters
  - Darktrack 4 Alien RC.exe (PID: 1164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

122

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1164

"C:\Users\admin\Desktop\2 Darktrack Rat\Darktrack 4 Alien RC.exe"

C:\Users\admin\Desktop\2 Darktrack Rat\Darktrack 4 Alien RC.exe

explorer.exe

User:

admin

Company:

Darktrack

Integrity Level:

MEDIUM

Description:

Remote Administration Tool

Exit code:

Version:

4.0.0.0

Modules

Images
c:\users\admin\desktop\2 darktrack rat\darktrack 4 alien rc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1832

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

7268

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2 Darktrack Rat.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7320

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

8 319

Read events

8 285

Write events

Delete events

Modification events


(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\2 Darktrack Rat.rar
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(7268) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1300000062000000D30300004B020000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Profiles\ScanFor		text
		MD5:0667371BB521CA441BFA5C54F6302832	SHA256:527338896D53D202618FCBA40707A73B779BF3A417BA2237967F997D704AE229
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\Data\DataBase.db		sqlite
		MD5:AFDA8CB7D24C955C6A9D283D03B21362	SHA256:2BC07101CCBD9AED85C7BBADE188BBC1D2E32DA5A146D6D4A71E414DDCA8CFB2
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_A71D3C9ACFD0888B19B4EAA86FAA4437		der
		MD5:C04ED7031BA2F0AE802D8B44856E6BB1	SHA256:6494835ED78273BEACE76FFB7454D2B3A6691AEB194C5F7A1221B6B5577F6BAB
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\settings.ini		text
		MD5:431C6D9B980772E961AA2AC82C18D73D	SHA256:4646687B3E292EF6A32A3D91B34D1D37617CAE13E488D4D3DE853332064ACD42
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:1DA271BADEF3C606463EE2AA45AFC6E7	SHA256:F94E4743F120EAA1D788F11E9AB79F97DB67074665A9C906344CA441B9FD8640
7268	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb7268.39613\2 Darktrack Rat\sqlite3.dll		executable
		MD5:A2EBA4B5199074DBE91FAE77E1050D8A	SHA256:629FD65A87D6D08503E45348ECC7C337F4921F35E47356E8FAB6F3007039C280
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:D185813A8D07B097840DA5750FD688F9	SHA256:D961A81E6F0923EFCF821EB87A2EEA82C5226C9DFC904FB4B74B5DE03A7A0455
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		der
		MD5:8D1040B12A663CA4EC7277CFC1CE44F0	SHA256:3086094D4198A5BBD12938B0D2D5F696C4DFC77E1EAE820ADDED346A59AA8727
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_857450206B889F4FEA0F888FA03D68DB		binary
		MD5:D3E1B1A6ADA78FD429CD4788DFA8A1D7	SHA256:C9DD0650892ADB8E38FDF78DDECA6EAFAC82F802DCF44AE53382E97BFB9098A5
1164	Darktrack 4 Alien RC.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:6102A35CCC7E9377900C1284A16E67EF	SHA256:DA08922AC40DA65C9873463FBD72B2FCE6483787555EDC7F9CB9BEF75CE94BF6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1164	Darktrack 4 Alien RC.exe	GET	200	142.250.186.67:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
1164	Darktrack 4 Alien RC.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
1164	Darktrack 4 Alien RC.exe	GET	200	142.250.185.227:80	http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDJocJI3cuzOAqV4KAdwn94	unknown	—	—	whitelisted
—	—	GET	200	142.250.185.227:80	http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHViWUaptL4MEEkSmq4OScg%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.209.32.198:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5968	backgroundTaskHost.exe	20.31.169.57:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3384	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7856	svchost.exe	4.209.33.156:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
arc.msn.com	20.223.35.26	whitelisted
login.live.com	40.126.32.138 40.126.32.74 20.190.160.20 40.126.32.133 40.126.32.136 40.126.32.72 40.126.32.134 40.126.32.76	whitelisted
google.com	142.250.181.238	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
licensing.mp.microsoft.com	4.209.33.156	whitelisted
www.youtube.com	216.58.206.46 142.250.186.142 142.250.185.142 216.58.206.78 142.250.186.110 142.250.185.174 142.250.185.206 142.250.185.110 142.250.185.78 142.250.185.238 142.250.184.238 216.58.212.174 142.250.186.78 142.250.74.206 172.217.16.206 172.217.18.14	whitelisted
ocsp.pki.goog	142.250.186.67	whitelisted
c.pki.goog	172.217.16.131	whitelisted
o.pki.goog	142.250.185.227	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

2 Darktrack Rat.rar

C120E5D923F5176CA110A342C6D8C233

439D3122860CC12532B54C577A08BB18FC851183

6A1E261BAA6948ADF079CDAE0D68FF0950A7EE288EA0FBC8191E5D0B8249E3B3

196608:L97sFgpZQVyJZUoasF0z6HYvH5I4nA7MN:xqgnQ4Zl70z6HYP5I4+k

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Checks Windows Trust Settings

There is functionality for taking screenshot (YARA)

There is functionality for communication over UDP network (YARA)

Reads Internet Explorer settings

INFO

Reads the computer name

Aspack has been detected

Manual execution by a user

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Process checks Internet Explorer phishing filters

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings