Overview

overview

10

Static

static

10

08112023_2...sg.exe

windows7-x64

10

08112023_2...sg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2023 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08112023_2347_drkgate_fsg.exe

  • Size

    405KB

  • MD5

    1aa04a5bfb041fe8e136ec0bd5c92e33

  • SHA1

    cfa32f6bdf7a64869a5166935ad8d027d4d90b4d

  • SHA256

    22347a3c12046ab10f8d0e087d0ae71338581b9e0e146b01da281a226c47268a

  • SHA512

    c0b3e27afd239cddf88e309e4f9733501cb3ddf09e11e7cf55a698e31c5dab5dc6723b2ef46906687187b28e6211e176a04afaca58887134efad7aada91298ab

  • SSDEEP

    6144:+5UHKhp9UQpT0E3OWRytzcUE/GLRqpBwPfoCc4S3XuivrjkXRJfa:oUHKJ0E3OWRytCi6BwPyTnuivvkXR

Score
10/10
darkgateplexstealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

C2

http://homeservicetreking.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    8443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    tJAEBsRlHobUrN

  • internal_mutex

    txtMut

  • minimum_disk

    18

  • minimum_ram

    6009

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    PLEX

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08112023_2347_drkgate_fsg.exe
    "C:\Users\Admin\AppData\Local\Temp\08112023_2347_drkgate_fsg.exe"
    1⤵
    • Checks processor information in registry
    PID:1252
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2432
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4608

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
      Filesize

      16KB

      MD5

      fb2d97b4625c8e53f4e71bf5460fd87d

      SHA1

      3f6075c5d002bea1bb81185341d07956a24c0503

      SHA256

      69f40912599996a26a68744df1a4aae73d73809982e2cdf59ce62e4ee05c3fd3

      SHA512

      a08c43527c367a0c95d9c55bfe29db9beb58fb44e1f1c6dfc8630edec0673c7b3ccc9274b06bbcaeb1c50e0db4a7dd2b287e73e93fd1a1e79df5856c8caba025

      Download Submit
    • memory/1252-0-0x0000000000400000-0x0000000000465000-memory.dmp
      Filesize

      404KB

      Download
    • memory/4608-42-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-34-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-43-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-35-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-36-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-37-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-38-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-39-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-45-0x00000219526D0000-0x00000219526D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-41-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-69-0x0000021952930000-0x0000021952931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-33-0x0000021952A90000-0x0000021952A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-40-0x0000021952AB0000-0x0000021952AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-44-0x00000219526E0000-0x00000219526E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-47-0x00000219526E0000-0x00000219526E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-50-0x00000219526D0000-0x00000219526D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-53-0x0000021952610000-0x0000021952611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-1-0x000002194A3A0000-0x000002194A3B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4608-65-0x0000021952810000-0x0000021952811000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-67-0x0000021952820000-0x0000021952821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-68-0x0000021952820000-0x0000021952821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4608-17-0x000002194A4A0000-0x000002194A4B0000-memory.dmp
      Filesize

      64KB

      Download