Analysis
-
max time kernel
314s -
max time network
400s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
27-10-2023 19:46
Static task
static1
Behavioral task
behavioral1
Sample
Run-AU3-1.bat
Resource
win10-20231020-en
3 signatures
600 seconds
General
-
Target
Run-AU3-1.bat
-
Size
27B
-
MD5
357727830de82bc1113687368ee84c11
-
SHA1
799c33583f05fb2f9a4e25d61117480271124dd2
-
SHA256
3a46599f80c7345752b625df247c1b8c35c7331fe71050da77727bf713da58b1
-
SHA512
dc19d1a23852769775bcd3f9a4089aa8f38b2d5f98ba4d3de7de83f5fe094b1040be60fb05b5fd7147073428e51ef3ddfff11425890d3bc81f5baedab645416a
Score
10/10
Malware Config
Extracted
Family
darkgate
Botnet
civilian1111
C2
http://185.130.226.220
Attributes
-
alternative_c2_port
8080
-
anti_analysis
true
-
anti_debug
true
-
anti_vm
true
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
vsAuhYDgOqBrvG
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
5
-
rootkit
true
-
startup_persistence
true
-
username
civilian1111
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AutoIt3.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 1132 wrote to memory of 4576 1132 cmd.exe 72 PID 1132 wrote to memory of 4576 1132 cmd.exe 72 PID 1132 wrote to memory of 4576 1132 cmd.exe 72