darkgate | eaa2a9653157f3e52a379616fcde0911decaf0f069d3ee3f6b31f2d6087afe58

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded.exe
Size

481KB
MD5

853e53f0fd01e14e61498ffea94d70b0
SHA1

834836c3ea33b8d693e3fa01d170814bf87dd532
SHA256

eaa2a9653157f3e52a379616fcde0911decaf0f069d3ee3f6b31f2d6087afe58
SHA512

22356637e4aa2aa4f45366d64d6ae1eea067be41a8e008cc2bd5762cbac226772108c8155a9c2d1f60af61760e9ee331dd0943100e3f83890262b7fde1a89ef2
SSDEEP

12288:Tn0PRXHWqWIbxvMkwi58JXhrtdNq7heBpi5/K2QqnuQ/iA11:TymqWI6kwi58JxrY7hmi5C2Q+u+V11

Score

10^/10

darkgate ioeooow8ur stealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

http://178.236.247.102

Attributes

alternative_c2_port
9999
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
27850
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
RjRZGzBFKKciHs
internal_mutex
cbdKcC
minimum_disk
50
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
ioeooow8ur

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	decoded.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	decoded.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4592	decoded.exe
4592	decoded.exe

C:\Users\Admin\AppData\Local\Temp\decoded.exe
"C:\Users\Admin\AppData\Local\Temp\decoded.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4592-2-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-3-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-4-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-5-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-6-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-7-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-10-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download