darkgate | 0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
Size

433KB
MD5

ba837c850e492f4282bf5e34f30cefa8
SHA1

4ae7d8909e58f82408b22187b1085465976b3eae
SHA256

0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be
SHA512

13b4a6044ac2d5b4a110431060abb5238778880097c6abc7e351b40ccc4e6dd2529114293fb10ef930d7d5b1ddc653f9faa0e9cc9e99c98f40d21663d416969d
SSDEEP

12288:3Wy/dWy8VGJcix+d/WS8/Ruv0d5J/zW+hqxqnup/5:3p1p8V0x+d/WS8Hd/W+hqx+uJ5

Score

10^/10

darkgate stealer

Malware Config

Extracted

Family

darkgate

http://lampixx.hopto.org

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

darkgate 11 IoCs

resource	yara_rule
behavioral1/memory/736-1-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-2-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/996-4-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-3-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-5-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-7-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-11-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-12-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-14-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-16-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate
behavioral1/memory/736-23-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate

darkgate2 11 IoCs

resource	yara_rule
behavioral1/memory/736-1-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-2-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/996-4-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-3-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-5-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-7-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-11-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-12-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-14-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-16-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2
behavioral1/memory/736-23-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate2

darkgate3 11 IoCs

resource	yara_rule
behavioral1/memory/736-1-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-2-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/996-4-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-3-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-5-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-7-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-11-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-12-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-14-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-16-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3
behavioral1/memory/736-23-0x0000000000400000-0x0000000000473000-memory.dmp	darkgate3

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcfeeee.lnk	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe
736	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82
PID 996 wrote to memory of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82
PID 996 wrote to memory of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82
PID 996 wrote to memory of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82
PID 996 wrote to memory of 736	996	0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe	82

C:\Users\Admin\AppData\Local\Temp\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
"C:\Users\Admin\AppData\Local\Temp\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ahbfkag\hdegchc\ddaeeae

Filesize
176B

MD5
0c1862a0de73c77b7ebd0d020004c197

SHA1
019a4ac52c4c92729a09f4f5d5547bdcc2778610

SHA256
07a2d2275929beb3f56df8f08bd635218c1fb57faa8efc1e797ea275c1827cc5

SHA512
2b6e0324ea61862dd905723d77f7ecbf82a2e62dccee86dc30856f0ec7d647ba93ad7bec9125e79933478ac841cc2224c65407f5f6eff86e949a44e56be9d5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcfeeee

Filesize
136B

MD5
0f69680432812fb4cf99137d17d27af8

SHA1
caadd46fbee3242a2207b207f3a2d49206cec446

SHA256
57e2abf79c5c1da51256e1a4d718ced1c609aaed2d4ae0a4b0a5c44ab1dd5022

SHA512
9544748b7a69b1f65ddfb5caa582ead6350afc0b094a4ec0ad052b3f9b1813de45dc7f1940241c642b955e9fadadbc55f55427752647fe780369712ef6af04f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcfeeee.lnk

Filesize
863B

MD5
3b246d9e7d494686bf06bfa76ccf1f11

SHA1
c328ec9803d89846f8b3e67f4aeb364742cd1a67

SHA256
17a486d2941caa30fa56d482004ab4022d695cdbe85d24dcdbe69cdadd2ec39a

SHA512
45518937a2cc89ab1e944f1d801425325110d0824be1b05f742b425062ab404faa6ab895f2b5e84dde34fa539aa5850943db1012d40c19f124a6ab10ed8b3a6c

Download Submit
memory/736-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-3-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-1-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-16-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-23-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/736-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/996-4-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download