darkgate | e087829e269e67ac7f9400059696958f8ed4c81ac5ead5cf7b055a85941c915c

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-08-2023 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate stealer

Malware Config

Extracted

Family

darkgate

http://107.181.161.20

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1468 created 1116	1468	1.exe	11
PID 2724 created 1180	2724	template.exe	10

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahbdhdd.lnk	template.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1468	1.exe
1468	1.exe
2724	template.exe
2724	template.exe
2184	GoogleUpdateBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28
PID 1468 wrote to memory of 2724	1468	1.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116
- C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe
  "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  PID:2724

C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe 2.au3
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bceefab\befabge\daebaff

Filesize
134B

MD5
3d9fffd643e86a3e5e5ccc5da1311de9

SHA1
57e965a575f9e043ea5d6793d77c21ca65daf3b5

SHA256
599e2972a1e0884df5df1e890eb3ac6785ea5853161412c0e3a7a39a18d77769

SHA512
26309cb376f9a005ef6bd75a6f98abab2adf2e60ccee6162af3caec6a17aaceff1f3b01969502b7b25841e120950fc8d0211ee417bd8541b3a524f8474761f34

Download Submit
C:\ProgramData\bceefab\befabge\daebaff

Filesize
134B

MD5
fb17d1000339ce0a4af19515f8b9833f

SHA1
316509d6f15d9877ab9e8c1f08bdd1a8df1724cc

SHA256
a348f186c09f4dc0c2b0c503f7318caa2f724440e9371ee5c2ebc5e2f1e153cd

SHA512
8f05259919b35c4d4c863bda180da64a5c95e39b09f4ed0bc6acfe8d0f275afb6b145f44bfd0a9e3aa09066b79e8ca7210a2302054bd25030696328e7eea381f

Download Submit
\??\c:\temp\bchdffd.au3

Filesize
777KB

MD5
0e3913bc130c81f4c6cb004eddbdf1a3

SHA1
80eaa851d47a0aa67148e544882a3003b3f4742d

SHA256
8ff356af97443bd2b028eb57f160a92c2a1ecab2d227977a87a221ae6409c4be

SHA512
7aab507bc116aebf8202b96824489d48c90493acddfad9faac0013ed2d136db2a72a7269c7e4c79a17e051b7e30a62061ac954ed19bd35ec8ddc1a6cf3cc5e85

Download Submit
memory/1468-22-0x00000000007B0000-0x0000000000BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1468-1-0x00000000007B0000-0x0000000000BB0000-memory.dmp

Filesize
4.0MB

Download
memory/1468-23-0x0000000003140000-0x000000000331A000-memory.dmp

Filesize
1.9MB

Download
memory/1468-6-0x0000000003140000-0x000000000331A000-memory.dmp

Filesize
1.9MB

Download
memory/1468-618-0x0000000003140000-0x000000000331A000-memory.dmp

Filesize
1.9MB

Download
memory/1468-3-0x0000000002920000-0x0000000002A15000-memory.dmp

Filesize
980KB

Download
memory/1468-2-0x0000000003140000-0x000000000331A000-memory.dmp

Filesize
1.9MB

Download
memory/2184-1231-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/2184-1226-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/2184-630-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2184-632-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2724-8-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2724-649-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/2724-617-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/2724-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download