Overview

overview

10

Static

static

1

55610dd00539.js

windows7-x64

3

55610dd00539.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    08112023_0856_55610dd00539.zip

  • Size

    65KB

  • Sample

    231108-bag6kaba8w

  • MD5

    823c2c36d366fe0e29d135d99f7b428f

  • SHA1

    8cb3a87592e05355101ae8dda900b38fdc975428

  • SHA256

    7515593dc715921093ee22ca732848867719e8bf3a42ebeab02ffee0442dbce0

  • SHA512

    d08af8b5a66ec49ec725df6c0c1773e569cc28762c2f1e94b59c9044ba19e2cfabcf071d0107d7a4a01708bb53f60ef0d75b965ed09367fac46172f4d9e8d640

  • SSDEEP

    1536:eIhw5NV6EGYXQYnNAr56IdobO5AhCKDocR:e24GmA6o5DKkY

Score
10/10
darkgateplexstealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

C2

http://adfincolniclo.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    8443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    XlGcWKEQCWdmzP

  • internal_mutex

    txtMut

  • minimum_disk

    18

  • minimum_ram

    6005

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    PLEX

Targets

    • Target

      55610dd00539.js

    • Size

      253KB

    • MD5

      aeb8f1c6c921fbdde0e82cc6c16d911a

    • SHA1

      7f04a7b709a9061dfbea8c0006b116e7639b04ca

    • SHA256

      26421886a7d4d780f365d6531d6c945211a5a9d180ea1eda9cafdb8571323d62

    • SHA512

      e1e441c59c482fe04bf4574d4c473d24a9003c2f57aac7464407827efc461a9b1b7ab11c0045e7a0cd54df7c63e8cfa40debc54e300164f558b85790b7938ad8

    • SSDEEP

      6144:ae7hgXeerjqlI2Iro+4e7hgXeerjqlI2Iro+8:aIhgSlI23NIhgSlI23V

    Score
    10/10
    darkgateplexstealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks