General

  • Target

    02112023_2237_00package.js

  • Size

    135KB

  • Sample

    231102-rzedzadc3w

  • MD5

    acd09f544443ccf50e6fe55d27ea3b5f

  • SHA1

    4492e105277b8c058995de59b85ab9cf03b77bd9

  • SHA256

    8df36c2cea92f6e1e476ac5643adb276af2735356c3f388e08682016f242a5dd

  • SHA512

    a4fe157045b179031f49388f4019b72e418c97b752a7c2d59f9bf9172c0f11a7550af76322295b21cc7ff6ac7b131c93c5a62511e7aaab6fe567c8e613b98ad4

  • SSDEEP

    1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0r:0T9U7hgaX6eerjqlI2IO6Mzqfsf/m

Score
10/10

Malware Config

Extracted

Family

darkgate

Botnet

ADS5

C2

http://sftp.noheroway.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    443

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    QMUPRuePoaYqwJ

  • internal_mutex

    txtMut

  • minimum_disk

    90

  • minimum_ram

    5000

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    ADS5

Targets

    • Target

      02112023_2237_00package.js

    • Size

      135KB

    • MD5

      acd09f544443ccf50e6fe55d27ea3b5f

    • SHA1

      4492e105277b8c058995de59b85ab9cf03b77bd9

    • SHA256

      8df36c2cea92f6e1e476ac5643adb276af2735356c3f388e08682016f242a5dd

    • SHA512

      a4fe157045b179031f49388f4019b72e418c97b752a7c2d59f9bf9172c0f11a7550af76322295b21cc7ff6ac7b131c93c5a62511e7aaab6fe567c8e613b98ad4

    • SSDEEP

      1536:BZUTSCM9Cfq7u02PmUVdGXjXl4xc5KTPBoMqS7j8frPWgtZPnCUQrNgZnFFQE/0r:0T9U7hgaX6eerjqlI2IO6Mzqfsf/m

    Score
    10/10
    • DarkGate

      DarkGate is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks