General

  • Target

    drama.js

  • Size

    135KB

  • Sample

    231025-ynq2ysfa24

  • MD5

    e4f9dc6dce0febfc6b482a72ecae623c

  • SHA1

    ab62cf43d293852739dcd538cea9bfcba7583897

  • SHA256

    5736fa697d542ce30f133b77f20b14e98da721381bbebd259c118779f1cf8685

  • SHA512

    50de7dd2dc8364c1b5c1dfed99d2051ba2e584fef71b336771dd2e8f3a49f4f67cd2f17ef72276819081f790bec961e903177c24efe5230aa3224f1228e7d05e

  • SSDEEP

    1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0Z:0T9U7hgaX6eerjqlI2IO6MzqfL1

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

C2

http://taochinashowwers.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    aujvhepXpZBhyO

  • internal_mutex

    txtMut

  • minimum_disk

    40

  • minimum_ram

    7000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    user_871236672

Targets

    • Target

      drama.js

    • Size

      135KB

    • MD5

      e4f9dc6dce0febfc6b482a72ecae623c

    • SHA1

      ab62cf43d293852739dcd538cea9bfcba7583897

    • SHA256

      5736fa697d542ce30f133b77f20b14e98da721381bbebd259c118779f1cf8685

    • SHA512

      50de7dd2dc8364c1b5c1dfed99d2051ba2e584fef71b336771dd2e8f3a49f4f67cd2f17ef72276819081f790bec961e903177c24efe5230aa3224f1228e7d05e

    • SSDEEP

      1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0Z:0T9U7hgaX6eerjqlI2IO6MzqfL1

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks