darkgate | f952a08bd33b33d8b9c81a3fae683d476f2ebf096108e6feaa0a02105d61a604

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autoit3.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate usr_871663321 stealer

Malware Config

Extracted

Family

darkgate

Botnet

usr_871663321

http://fredlomberhfile.com

Attributes

alternative_c2_port
443
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
hQRoFscUtYUcau
internal_mutex
txtMut
minimum_disk
35
minimum_ram
7000
ping_interval
4
rootkit
true
startup_persistence
true
username
usr_871663321

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2890696111-2332180956-3312704074-1000\{BE827ACB-A533-49D0-8C7E-A220D15481C0}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1584	msedge.exe
1584	msedge.exe
4856	msedge.exe
4856	msedge.exe
5244	msedge.exe
5244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4772	helppane.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4772	helppane.exe
4772	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4856	4772	helppane.exe	99
PID 4772 wrote to memory of 4856	4772	helppane.exe	99
PID 4856 wrote to memory of 916	4856	msedge.exe	100
PID 4856 wrote to memory of 916	4856	msedge.exe	100
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 4872	4856	msedge.exe	101
PID 4856 wrote to memory of 1584	4856	msedge.exe	102
PID 4856 wrote to memory of 1584	4856	msedge.exe	102
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103
PID 4856 wrote to memory of 3068	4856	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe nbquok.au3
1⤵
- Checks processor information in registry
PID:408

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb32a46f8,0x7ffeb32a4708,0x7ffeb32a4718
    3⤵
    PID:916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:2196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
    3⤵
    PID:3000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4968 /prefetch:8
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,561362139802908103,14972074077729442616,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3552 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
b247a20cbc15f47ea695dd6531e4f1e9

SHA1
d027b905bb512fb16c8f53dbabcd347ff34b7c0b

SHA256
4a14827cb4d26384470fa69afd99d0e42ccc2f01c946f8020238ec8dfff1a05b

SHA512
9eeb85a685a8b8a0f8f370462bf0d8fd4bcfbbe430212d59c043ab06416f41d64622f3b19c7dd51be4cff6e2aec246345242b01c305a828fa4d9321fe5305b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
317B

MD5
3c11ad4c038bb1b0352f4ace79761943

SHA1
96c99ed7591f1c1abd221ab4e4d12d3efc6e5b54

SHA256
69dd7e48375ed008021322e3eb33f368a076a27859fb5242cafbcf8aba8e5053

SHA512
31a4e2b79dfb78e19fb92c4294dc2df4b7a601a12ee105e6539a6574bc213982410dbce296899c05c0ca41746279a2aa32e7ef32cb820aba6b3255e6999988c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12bc323a6b3af956a9a622f9076f30b8

SHA1
a0161d5204126a186c154dfc09744d431829655f

SHA256
33796594134400d125695893b168cfc822c6d6b76c965140b1831c9780dad131

SHA512
f48802f3b68d300be8b7491c15deb118b9932013f3d661c6cf0c7b2866b2fe3e504fd9fef6c5f7a54bad0a7884a69d0c6f7ff249cf715c90c460da0e344d8b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7caa8f25a8fa94044391dfc79b4aec5e

SHA1
f5db55465a1d3b29a90e105e5084f094e0b8392d

SHA256
25721b57435a039d4a86b07db0ed86688e4a6d7a4a624ac68fd6c9c43507dae2

SHA512
d1a9c1ded8e3e0cdec0a6fd709c586b08df4f0ff91dd062b2f2dbffe1ddcc7d60f364b6c1175aad3401ec1db4cd571d1f05f5f053e672c06d7852e132bb98602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ea3eb562ae6832a2bf0785ceadcfec6b

SHA1
a55773b14d3350c6fdf9075dda3cba0f8d038247

SHA256
e27b73ea096a878a86c216f6903a35b06353f68379f9c9d000d9a32fe0d4def6

SHA512
a98bc0f24e22535bf59dee45e7aefbccd24ef9ee4bb9c866cb29653bda9bfe714405dabef18260b3209cd542f714df6e04c2d39478b0d22e98019a52b08b1649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b4d21b415ffee1bd5e495f37ea16dbe

SHA1
b7d1bac99dc60ce4263c171cc10b9fffc367ca05

SHA256
bbb5f0cefbc2ea7144b1d13bb935f80439255a5a79bb11e03967b8546fcfe21e

SHA512
f4c6442304db6ac591f6ce425020ae3ae7307b8418a1218c7fc5e5e31e489a532b7efe4fa480082d309db5004cda827e7f7a375df82cf8af904cb22f9e636c1b

Download Submit
memory/408-1-0x00000000011D0000-0x00000000015D0000-memory.dmp

Filesize
4.0MB

Download
memory/408-5-0x00000000047B0000-0x0000000004B73000-memory.dmp

Filesize
3.8MB

Download
memory/408-4-0x0000000003EE0000-0x0000000003FD5000-memory.dmp

Filesize
980KB

Download
memory/408-3-0x00000000047B0000-0x0000000004B73000-memory.dmp

Filesize
3.8MB

Download
memory/408-2-0x0000000003EE0000-0x0000000003FD5000-memory.dmp

Filesize
980KB

Download