Analysis
-
max time kernel
189s -
max time network
622s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
27-10-2023 18:34
Static task
static1
Behavioral task
behavioral1
Sample
Run-AU3-1.bat
Resource
win10-20231020-en
Behavioral task
behavioral2
Sample
Run-AU3-1.bat
Resource
win10v2004-20231020-en
General
-
Target
Run-AU3-1.bat
-
Size
27B
-
MD5
357727830de82bc1113687368ee84c11
-
SHA1
799c33583f05fb2f9a4e25d61117480271124dd2
-
SHA256
3a46599f80c7345752b625df247c1b8c35c7331fe71050da77727bf713da58b1
-
SHA512
dc19d1a23852769775bcd3f9a4089aa8f38b2d5f98ba4d3de7de83f5fe094b1040be60fb05b5fd7147073428e51ef3ddfff11425890d3bc81f5baedab645416a
Malware Config
Extracted
darkgate
civilian1111
http://185.130.226.220
-
alternative_c2_port
8080
-
anti_analysis
true
-
anti_debug
true
-
anti_vm
true
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
vsAuhYDgOqBrvG
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
5
-
rootkit
true
-
startup_persistence
true
-
username
civilian1111
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 5044 wrote to memory of 2408 5044 cmd.exe 72 PID 5044 wrote to memory of 2408 5044 cmd.exe 72 PID 5044 wrote to memory of 2408 5044 cmd.exe 72