Overview

overview

10

Static

static

1

5cc2ecc53d...a2.vbs

windows7-x64

8

5cc2ecc53d...a2.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs

  • Size

    142KB

  • Sample

    231006-qq8qsaea74

  • MD5

    86133160c59d00c0ca11c9716ee3f546

  • SHA1

    941b5b828aa1ae3b5a68772ec31ac06158836b3f

  • SHA256

    9921e057693d70d2f6bf13a04abf816c10fe209cff82cb533596ed313b9d2154

  • SHA512

    d48841717c9876c69d6134c40ffe4597a296b55252675de694b462a58ce3b915840bed844bcabe69cc88be46b521d033954256aa479a778e8adad7fce4659ca3

  • SSDEEP

    3072:k1KicwmC8osLn8CKmbOTtLJ+1Lqa6UndLvGi6tKYgHDNbWvi:k1OjC8oenlKmbOTn3a6UnMimONb3

Score
10/10
darkgateusr_871663321stealer

Malware Config

Extracted

Family

darkgate

Botnet

usr_871663321

C2

http://fredlomberhfile.com

Attributes
  • alternative_c2_port

    443

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_rawstub

    false

  • crypto_key

    hQRoFscUtYUcau

  • internal_mutex

    txtMut

  • minimum_disk

    35

  • minimum_ram

    7000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    usr_871663321

Targets

    • Target

      5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs

    • Size

      142KB

    • MD5

      86133160c59d00c0ca11c9716ee3f546

    • SHA1

      941b5b828aa1ae3b5a68772ec31ac06158836b3f

    • SHA256

      9921e057693d70d2f6bf13a04abf816c10fe209cff82cb533596ed313b9d2154

    • SHA512

      d48841717c9876c69d6134c40ffe4597a296b55252675de694b462a58ce3b915840bed844bcabe69cc88be46b521d033954256aa479a778e8adad7fce4659ca3

    • SSDEEP

      3072:k1KicwmC8osLn8CKmbOTtLJ+1Lqa6UndLvGi6tKYgHDNbWvi:k1OjC8oenlKmbOTn3a6UnMimONb3

    Score
    10/10
    darkgateusr_871663321stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks