darkgate | fdfe565a809fd50a01efe2c4c4d942f0d59dd1df2fa92f55d230ae8cea276db6

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate stealer

Malware Config

Extracted

Family

darkgate

http://107.181.161.20

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 14 IoCs

description	pid	Process	procid_target
PID 1576 created 3724	1576	1.exe	49
PID 4984 created 2332	4984	32BitMAPIBroker.exe	38
PID 4984 created 3816	4984	32BitMAPIBroker.exe	53
PID 4984 created 3448	4984	32BitMAPIBroker.exe	51
PID 4984 created 2332	4984	32BitMAPIBroker.exe	38
PID 4984 created 2316	4984	32BitMAPIBroker.exe	27
PID 4984 created 3816	4984	32BitMAPIBroker.exe	53
PID 4984 created 3724	4984	32BitMAPIBroker.exe	49
PID 4984 created 3816	4984	32BitMAPIBroker.exe	53
PID 4984 created 3660	4984	32BitMAPIBroker.exe	50
PID 4984 created 2428	4984	32BitMAPIBroker.exe	46
PID 4984 created 3628	4984	32BitMAPIBroker.exe	62
PID 4984 created 3628	4984	32BitMAPIBroker.exe	62
PID 4984 created 2428	4984	32BitMAPIBroker.exe	46

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbefkfb.lnk	32BitMAPIBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	1.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1576	1.exe
1576	1.exe
1576	1.exe
1576	1.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
4984	32BitMAPIBroker.exe
548	GoogleUpdateBroker.exe
548	GoogleUpdateBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84
PID 1576 wrote to memory of 4984	1576	1.exe	84

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2332

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2428
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3724
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3816

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\1.exe
C:\Users\Admin\AppData\Local\Temp\1.exe 3.au3
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\faccfbc\cfefaec\fdfegdd

Filesize
134B

MD5
aa1129583a89346744e7a55f19016ba9

SHA1
ea13e93425745656100970b4684ce37d33912569

SHA256
0636bc1a085cffd6cd532fc7115d124fcfc51a30ddb1d45e99e1db7542d3fa78

SHA512
2d3c4035f7d73e1f67f037bbda1c356f5e501b8862f1e202dba1c7cd7524af8d26906a65a0e31b23eed76c38c13eefd919c6f99a5013c618563fe667348961ce

Download Submit
C:\ProgramData\faccfbc\cfefaec\fdfegdd

Filesize
134B

MD5
9beeb574b4d3072671f99e7d78c59d65

SHA1
10a0571d12d71532c78f4fd9c1c109db0679fbcd

SHA256
a2a673e1287b95ada0b5c32a8dddb89c00548823c7ca98936939d85192c20593

SHA512
9454f25b7491f5b95c0acf8bc7204d79f425e3742de05f98cc20b59509445131294148b8b6421df72c87814f29122c8ff162dda82bd14e240707b1b238b32da5

Download Submit
\??\c:\temp\hcdhbeb.au3

Filesize
776KB

MD5
5892ff480896da2f5c2e52a8dccb1446

SHA1
7d89c0b2ed8613f0ea23a2200b9a66d8b316f7af

SHA256
1d981f5c19ba3f2be6be51685f211ed80b28fc31dd1de7b7797e09a611e893c5

SHA512
6a836325d3f233cd04eca1de36e695f238005066b55d93d6526e90a588466da2812b84407095a7fb19f8e1051b66c04457886a239d481ab48563507eb85c5213

Download Submit
memory/548-622-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/548-620-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/548-1218-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/548-1213-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/1576-19-0x00000000012C0000-0x00000000016C0000-memory.dmp

Filesize
4.0MB

Download
memory/1576-22-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/1576-604-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/1576-1-0x00000000012C0000-0x00000000016C0000-memory.dmp

Filesize
4.0MB

Download
memory/1576-6-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/1576-3-0x0000000003FE0000-0x00000000040D5000-memory.dmp

Filesize
980KB

Download
memory/1576-2-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/4984-8-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4984-635-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/4984-603-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/4984-9-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download