Trojan.DarktrackRAT
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 216 |
First Seen: | August 31, 2016 |
Last Seen: | September 23, 2022 |
OS(es) Affected: | Windows |
Trojan.DarktrackRAT is a detection name that many cybersecurity companies use in reference to an advanced Remote Access Trojan that may invade computers via corrupted free applications, pirated shareware and cracked games. Many samples of Trojan.DarktrackRAT shows the name 'Darktrack Client v4.1 Alien' in their file description properties. The DarktrackRAT malware is believed to have existed on the Dark Web since the end of 2016, and its developers have provided limited free versions of the program on the Dark Web. The main features of DarktrackRAT encompass the following:
- Connections Manager — shows a brief preview of the active and inactive connections to infected machines.
- Desktop Viewer — allows a threat actor to look at the victim's desktop, create files, delete and move files to existing directories.
- OnConnect Command Editor — allows the threat actors to specify what commands the Trojan should run on first launch and what information should be reported back to the 'Command and Control' servers.
- Maps Viewer — the tool is configured to display the location of infected machines using a custom map configuration in the legitimate Google Maps service online.
- Auto Updater — a tool for pushing updated libraries to active infected hosts. The Auto Updater tool can drop update packages to remote computers and set up a delayed update from a file on the local disk or set up an update to be pulled from an infected site.
- Network Stress Tester — a suite of tools that enable UDP and HTTP flooding that limits the network connectivity of targeted computers.
The DarktrackRAT program supports standard functionality you can expect from legitimate remote desktop utilities like TeamViewer and LogMeIn. Infected computers can be controlled remotely without alerting the active users. The DarktrackRAT allows threat actors to create, move and edit saved files; alter Registry entries; remove, install and run programs; search for files; print screen photos; track and record the content of the clipboard. Also, Trojan.DarktrackRAT can identify networked computers and extract files from shared folders. Surveillance features are supported by DarktrackRAT and include:
- File Transfer Viewer for Skype — allows threat actors to copy files sent via Microsoft's Skype IM client.
- Skype Contacts Viewer — allows threat actors to view the user's contacts.
- Skype IM Log Viewer — threat actors can preview sent and received messages in the messaging client.
- Audio/Video Recorder — the module records audio from the installed microphone to WAV format and can record video to an AVI container.
- Webcam Streaming — threat actors can receive output in real time from installed cameras on infected devices.
- Keylogging — a keylogger tool is loaded in the background and records the user's keyboard input.
- Password Recovery Tool — the module allows DarktrackRAT to pull saved login information in Mozilla Firefox, Google Chrome, Chromium-based browsers, Microsoft Outlook and FileZilla.
Infected hosts are known to interact with the 'Command and Control' servers via port 1603 and connect to the 76.107.206.114 IP address. Compromised users may notice irregular movements of the mouse cursor, opening and closing of the DVD/CD tray, suspicious system sounds and increased CPU usage while the system appears to be idle. The DarktrackRAT clients may run on infected machines as 'server.exe' and 'unigen.exe.' It is recommended to remove DarktrackRAT using a reputable anti-malware service. The following detection names are employed by AV vendors regarding DarktrackRAT:
Artemis!23086989405E
Backdoor.Fynloski.S14021
Dropper.Agent.Win32.273977
TR/Spy.Gen
TrojWare.Win32.Trojan.Generic.36979330
Trojan ( 004f5ef11 )
Trojan.Generic.8157780
Trojan/Refroso.fne
Trojan:Win32/VB.AAW
W32/Generic.AP.1932E6!tr
Win32/TrojanDropper.Agent.POB
Win32:BackDoor-ACX [Trj]
malicious_confidence_100% (W
Table of Contents
SpyHunter Detects & Remove Trojan.DarktrackRAT
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | MScWord.exe | 428855902fe48c17f8b40b2e539a0374 | 0 |
2. | file.exe | 57ba148785fdfad0802c807452313884 | 0 |
3. | file.exe | 9421293f0a45611fa45a23e25c876b9b | 0 |