MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarktrackRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8
SHA3-384 hash:	afc50dd0d20bf8a8b1578636e08c6994431851cccb232ec98c3680ca18e819be831e57e77839c5325cab4fb770a2f2f0
SHA1 hash:	336aaf0207e6be6826f0e2ca7c7d5198d2619275
MD5 hash:	b8d7e501db694d31599c44c2a11ec36b
humanhash:	undress-bravo-paris-lion
File name:	f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8
Download:	download sample
Signature	DarktrackRAT Create hunting rule
File size:	1'926'656 bytes
First seen:	2021-02-28 07:12:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	49152:DSWILBq4zfqDc5aPIP4MDAZE8v2TBPfepjaqhw8jkkiqkDpv9:Gm4ODcAPo4K8vwB+pjaqhwDkAx
Threatray	72 similar samples on MalwareBazaar
TLSH	B095238279C08309D106ADBAE3DF653843F5A8534172DB4E3FA532CE5612BD3FA45A4E
Reporter	JAMESWT_WT
Tags:	DarktrackRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8

Verdict:

Suspicious activity

Analysis date:

2021-02-28 09:08:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/54900c97-e364-4dcd-9313-1f2b5f138ef6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/119834/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Creating a window

Launching a process

Creating a process with a hidden window

DNS request

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Darktrack RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/621085

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Darktrack RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2017-05-31 13:09:06 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6e4p36fdonelemevvi37tsubsbq4sm3gcxzup4bg6w3upbqwog4a._file

Verdict:

malicious

DarktrackRAT

59b230d608d121a6969fa2eab41b020c57f99328319ebd92ef00cb4081562589

DarktrackRAT

71d441f9725ee7a1e158a85e037e2311875f19ad12729900dba14c3ded8c5166

DarktrackRAT

733036ae8101048351d1cf684fe1bc02c1cf7a70725a470bec7cbd59a602738b

DarktrackRAT

7f5f68e3163fd4aae367b129dc4d519000905b78d66e6933e7b091053eadd98f

DarktrackRAT

ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28

DarktrackRAT

bc9204be92ac0bd373bc0153d02be668ad82d382ebcc112fa8c252e6f9c67080

DarktrackRAT

f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722

DarktrackRAT

f95573e18dd16600bedc2ab6917774a91603d5e90ae5deccfa969a8311802972

DarktrackRAT

f9b03c723f0707c47dc00e0d77ac55559d2cd07cd6b38a67126e535068ca05dc

DarktrackRAT

+ 62 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210228-gnq4r12rle/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

8bedf97d9c6f4990828623701c4a47775bbf79d80169697cb59414aa3b40caeb

MD5 hash:

c8027abd8ba9841cbbe8ba48c973c2df

SHA1 hash:

72dee70d40e3236df711388ac718a5b828ca5a14

Link:

https://www.unpac.me/results/adf9a77a-0ccd-4fd1-8465-1dffca8c0e79/

SH256 hash:

691fb82c3f78a49086c6f61747195cde07448d2c03cc91b1889b407c50183c98

MD5 hash:

0f2c0e9e783f4f06a09e4e65653aa950

SHA1 hash:

55f721bdd5cc1614771e339b1a9d4829e8fb5908

Link:

https://www.unpac.me/results/adf9a77a-0ccd-4fd1-8465-1dffca8c0e79/

SH256 hash:

a1bf34df9615311900ed74abc08a898d7e154c0dc2a0c78da7d274ab8567b8ce

MD5 hash:

b60ca73ad75b2214816b55ce8ae2f873

SHA1 hash:

1306472b5d6ca790e70f31a59520172d401d9723

Detections:

win_darktrack_rat_auto

Link:

https://www.unpac.me/results/adf9a77a-0ccd-4fd1-8465-1dffca8c0e79/

SH256 hash:

f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8

MD5 hash:

b8d7e501db694d31599c44c2a11ec36b

SHA1 hash:

336aaf0207e6be6826f0e2ca7c7d5198d2619275

Link:

https://www.unpac.me/results/adf9a77a-0ccd-4fd1-8465-1dffca8c0e79/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f138fdf8a37348b23095aa37f9ca819061c9336615f347f026f5b747861671b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	darktrack_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox product IDs

Rule name:	VMware_detection_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	VMWare detection

Rule name:	win_darktrack_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_darktrack_rat_w0 Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119834/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample