Overview

overview

10

Static

static

1

510af6dd87...5f.msi

windows7-x64

10

510af6dd87...5f.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    434a13.msi.zip

  • Size

    2.1MB

  • Sample

    231014-dmbknafa42

  • MD5

    71f4c042682719671c03cca48047909e

  • SHA1

    f437d770d937ced05f009ff3636e44f3e66fa9d6

  • SHA256

    4b43e46ada9ab339f93065a0941356523b96906becfdce37779629f6f57852d0

  • SHA512

    1b08ecbcc454801e73f4908a5e3f16205c258bb4277717dfd524e7fcd21c7c7f441c434463950bbaa1275d4d31274bc7c87de40254ae0731191ee9e70117cf83

  • SSDEEP

    49152:L2E8qDOr5guooEg0LGWZc05Q/B9Du/Gcr6Oj2U/sgSSiFNphMV:LL8qD4gnoPsgK6fuLStE

Score
10/10
darkgateioeooow8urdiscoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

C2

http://178.236.247.102

Attributes
  • alternative_c2_port

    9999

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    27850

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_rawstub

    false

  • crypto_key

    RjRZGzBFKKciHs

  • internal_mutex

    cbdKcC

  • minimum_disk

    50

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    ioeooow8ur

Targets

    • Target

      510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f

    • Size

      2.2MB

    • MD5

      eb6c9dd67ac627ad54d1d9d98f6b779b

    • SHA1

      253d0ec6919bffc194e1574806e3c8b1a7e7fcfc

    • SHA256

      510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f

    • SHA512

      9ba437b075964d45f1f48f5fdfae4259d7480dfbc511ca567d054c0ec5c56df4a90867ed00d1955d2686100a12ad91c11136c7a657d85146578fe9251e094bc0

    • SSDEEP

      49152:ypUPhpzVy45pV1KnCx9HYMLEnYnHzIEdsvtyOABCRv4hMh:ypgpzVhpTKnC/4MLEizIbtUBCRv4q

    Score
    10/10
    darkgateioeooow8urdiscoverystealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks