darkgate | 91f28c3b1cd4ab5bbd77eb9caa31967a0e35cf9e9cfa303a17b2cdcc9a716349 | Triage

Submit
Reports

Overview

overview

Static

static

1

Udemy Desk...JC.msi

windows7-x64

Udemy Desk...JC.msi

windows10-2004-x64

Sharing

General

Target

Udemy Desktop v2.14_JC.msi
Size

1.7MB
Sample

231004-3jycpaff4x
MD5

f6c09481e24b07c6e6dfaeaaa95ed8d3
SHA1

e8febb51d555ed42b6105ac6c056184094458bf0
SHA256

91f28c3b1cd4ab5bbd77eb9caa31967a0e35cf9e9cfa303a17b2cdcc9a716349
SHA512

73cb10ffb01979dbabfe67b7feaea2342d3bd83a73faec779b64f8d71eb28b2ccd9d3bf87a18f7e76a7102f6217b912b4871a189d0e21dbad7b6f362fdb94c84
SSDEEP

49152:wpUPjo5oqrQQkTUwEjKt9CWVxbebxkmILc6hpYrH:wp6oaqUQ4Pj/CWV/Thp

Score

10^/10

darkgate ricoc2 discovery stealer

Static task

static1

Behavioral task

behavioral1

Sample

Udemy Desktop v2.14_JC.msi

Resource

win7-20230831-en

darkgate ricoc2 discovery stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Udemy Desktop v2.14_JC.msi

Resource

win10v2004-20230915-en

darkgate ricoc2 discovery stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc2

C2

http://joagfhreetdsa.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
OaqlRfomBMoIbY
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc2

Targets

- Target
  
  Udemy Desktop v2.14_JC.msi
- Size
  
  1.7MB
- MD5
  
  f6c09481e24b07c6e6dfaeaaa95ed8d3
- SHA1
  
  e8febb51d555ed42b6105ac6c056184094458bf0
- SHA256
  
  91f28c3b1cd4ab5bbd77eb9caa31967a0e35cf9e9cfa303a17b2cdcc9a716349
- SHA512
  
  73cb10ffb01979dbabfe67b7feaea2342d3bd83a73faec779b64f8d71eb28b2ccd9d3bf87a18f7e76a7102f6217b912b4871a189d0e21dbad7b6f362fdb94c84
- SSDEEP
  
  49152:wpUPjo5oqrQQkTUwEjKt9CWVxbebxkmILc6hpYrH:wp6oaqUQ4Pj/CWV/Thp
Score

10^/10

darkgate ricoc2 discovery stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkgatericoc2discoverystealer

behavioral2

darkgatericoc2discoverystealer

© 2018-2025

Terms | Privacy