Analysis

  • max time kernel
    605s
  • max time network
    580s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2023 18:34

General

  • Target

    Run-AU3-1.bat

  • Size

    27B

  • MD5

    357727830de82bc1113687368ee84c11

  • SHA1

    799c33583f05fb2f9a4e25d61117480271124dd2

  • SHA256

    3a46599f80c7345752b625df247c1b8c35c7331fe71050da77727bf713da58b1

  • SHA512

    dc19d1a23852769775bcd3f9a4089aa8f38b2d5f98ba4d3de7de83f5fe094b1040be60fb05b5fd7147073428e51ef3ddfff11425890d3bc81f5baedab645416a

Malware Config

Extracted

Family

darkgate

Botnet

civilian1111

C2

http://185.130.226.220

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    vsAuhYDgOqBrvG

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    5

  • rootkit

    true

  • startup_persistence

    true

  • username

    civilian1111

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-AU3-1.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
      AutoIt3.exe bone.au3
      2⤵
      • Checks processor information in registry
      PID:4952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4952-1-0x0000000000F40000-0x0000000001340000-memory.dmp

    Filesize

    4.0MB

  • memory/4952-2-0x0000000004230000-0x000000000455A000-memory.dmp

    Filesize

    3.2MB

  • memory/4952-3-0x0000000000F40000-0x0000000001340000-memory.dmp

    Filesize

    4.0MB

  • memory/4952-4-0x0000000004230000-0x000000000455A000-memory.dmp

    Filesize

    3.2MB