darkgate | d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe | Triage

Sharing

General

Target

NEAS.d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fezip_JC.zip
Size

254KB
Sample

231019-ybw3face72
MD5

5d04f41fc9f1b6c802f6927e2fa12882
SHA1

d015e659770dce7cf6587856fc108c7d67fd8536
SHA256

d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe
SHA512

98d28190f6e0f1764e290b6f49d270be80049ea8253d717987cfc3b5c42d89c21fa70124e976ccc62daca4cf6414a125fd2ad663cd4885eb57b3bffc3accb4bc
SSDEEP

1536:6AIMFFdYMxAcEQDFXiAIMFFdYMxAcEQDHAIMFFdYMxAcEQD7AIMFFdYMxAcEQDtp:6EY8BFXiEY8BHEY8B7EY8BREY8BM

Score

10^/10

darkgate ricoc3 stealer

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc3

C2

http://hgfdytrywq.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
uwCQCDKnhIZhrE
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc3

Targets

- Target
  
  Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.js
- Size
  
  49KB
- MD5
  
  c19568c51692a5b4dbfc29c02fafcf8d
- SHA1
  
  b265c4f15c591a241d19c7284efeeb1e73407df0
- SHA256
  
  c8c425368b40c30a09a8e4990e53a1df4c29493ad138287493da0d6f56f1dade
- SHA512
  
  329efccd2808ffd1ee7c6e741890aad2ee22705bd0c2703a11f054e6d29520964c39edfb039cf3834c0e23990994b95748edb74944fdfad1d8c78e5adc9b4dbc
- SSDEEP
  
  768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3Dxt7niEL:nAIMFFdYMxAcEQDFXL
Score

10^/10

darkgate ricoc3 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Navigating_Our_Evolution_October_2023_Confidential.js
- Size
  
  50KB
- MD5
  
  e65b29d3b1c48e5ca3d77588e6375382
- SHA1
  
  ef407527c8228d8a1b7bc1ec5c1c4000464498ad
- SHA256
  
  1706dccb08d8fa1a4e38ae118a4137c0ab4bb6b906eef24693a422a30b465e2d
- SHA512
  
  d2fb401af2cf8a4d5c152dfceead38b0693103e100dafa060f6bde0a3241aa3061892bede91bb71255cd608c4200f93131e2fbdb58895620a3bf1591ddfb87e2
- SSDEEP
  
  768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3Cj0yFUK:nAIMFFdYMxAcEQDg
Score

10^/10

darkgate ricoc3 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
behavioral3 behavioral4
- Target
  
  Redefining_Our_Structural_Canvas_2023_Confidential.js
- Size
  
  50KB
- MD5
  
  6e0b712bbd5e1a3ee9eb2098cadf0a90
- SHA1
  
  53697a5a284e0584181e3c3d4303cded6e58f2f2
- SHA256
  
  ac61469d96805f9590d80397ed8fca735b718c000026ff5d99672c791d4707b7
- SHA512
  
  55d1197aba1a398719a0d33c16ed25f757f4f6d4ea11a3870ebbd96ae3530e1064e3885f0ad8cbfd540829e989abc9ac463d5ed36044af4db5ee1b3fce8a41d9
- SSDEEP
  
  768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3WSLbsX6:nAIMFFdYMxAcEQDn
Score

10^/10

darkgate ricoc3 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Role_Directives_Effective_2023_Confidential.js
- Size
  
  51KB
- MD5
  
  98a065c330d0e987786793a243f7f53e
- SHA1
  
  277fc8a50892980c5523d1e1706d706d64e76624
- SHA256
  
  54464835989986ae3804a570f5e3b299db8cb2a19a47d6444b1d410ad51586ee
- SHA512
  
  ea07611e517669fc9dc3987d57598ccc33487035b1d22a346e40a6c06fcb8f38d1dd1f821bff8a478730ba73913ab518ad41301d13b61aee36fbe680e9943c23
- SSDEEP
  
  768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3PywbIp9:nAIMFFdYMxAcEQDtk9
Score

10^/10

darkgate ricoc3 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  Transition_Journey_2023_Confidential.js
- Size
  
  50KB
- MD5
  
  83914282d9c9680c567121cc18dac066
- SHA1
  
  f80092da919ee472ac673c96da20d28c96a30b27
- SHA256
  
  412a2790effdc2b85bb83bdf1106fe2f2471df8dfd81df07084ba31371aa8887
- SHA512
  
  0f8429f3a2a3c1d972d657c39bd5092395d9b108fbf08ead143daac720a637019222e0a61ed9fba35a9fc2f155c5b060d23ff77cadc31041eb2c5017a24f272b
- SSDEEP
  
  768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3TWpe5q:nAIMFFdYMxAcEQDK
Score

10^/10

darkgate ricoc3 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgatericoc3stealer

behavioral3

behavioral4

darkgatericoc3stealer

behavioral5

behavioral6

darkgatericoc3stealer

behavioral7

behavioral8

darkgatericoc3stealer

behavioral9

behavioral10

darkgatericoc3stealer