Overview

overview

10

Static

static

1

abb556b6e4...d9.msi

windows7-x64

10

abb556b6e4...d9.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    abb556b6e45931b1e27b40f9f5f610dea7c4e59c13a4299899b022d9.zip

  • Size

    998KB

  • Sample

    231019-hqg9tsee2t

  • MD5

    2a6c076ba72788ea5497472fdac8f295

  • SHA1

    36458749523d058fccb47ae7f21a6abd323d415b

  • SHA256

    38a7eb1e2b014b45fcf1b00c8b476f9c8c0b927694998c0c6bcb760162eaab88

  • SHA512

    d8f426875c9baa451a33c12a494cb85a3be89af71be9b277ad0bf1487b38d838df040912a7c30aa1336c972b2c093674a6b500c081665669419f990b7c52558b

  • SSDEEP

    24576:sCWHKpN7CvbCj4WBcFaa+AfBkOsBu4YgJDRrU:TWHoCWj4WBa+Y7OucRrU

Score
10/10
darkgatecivilian1337discoveryspywarestealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

C2

http://185.130.227.202

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    kYQpinTbGbozah

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    civilian1337

Targets

    • Target

      abb556b6e45931b1e27b40f9f5f610dea7c4e59c13a4299899b022d9

    • Size

      1.1MB

    • MD5

      85fd43751333aa5d3b831d3d2fafebb7

    • SHA1

      fd6e3b35b1059108d92d34660b0c54205d39529b

    • SHA256

      a69719f8d5dd3a3725521d32e16623be5f39aa5731a12061cb3e08793c2c66ba

    • SHA512

      d2b4f62f6e3e9cc65b741f150970431ebbdbd282cd4646c1f415ac5f8d995c90d79fca73b75f67d844d85f864f753fcd278e776b1df741532728398236582e07

    • SSDEEP

      24576:+tncpVGPS3Hj74zrIbOCFd7m1+DfxQSSTooZVwn3/V4XCAXBv:DpUPS3D8zEbOw7m18ZptMCK

    Score
    10/10
    darkgatecivilian1337discoveryspywarestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks