darkgate | 1056-126-0x0000000002E50000-0x000000000317A000-memory[.]dmp | Triage

Sharing

General

Target

1056-126-0x0000000002E50000-0x000000000317A000-memory.dmp
Size

3.2MB
MD5

892894991656ae576e2a4322bfd5651d
SHA1

8bb0297c8aa5517eb598d2702658ab1910d28e02
SHA256

67a8acb67576bef20bf95f73b16b09e38645c7cf193ded7b0cf8d5c723d9880f
SHA512

5e43424af8a4a83caf7c53ee86a84c52937185005edaf99cfb08926af3e137ab75edd06b47c2f09e17f032588aae526adcbad15e14ee93196cdfe751a1c32838
SSDEEP

6144:B9v6arXTWm+4itdyp2W9tlULZCtDqFnRGXE+5NfX4gZw:7v6arDWP5dyp2W9tnMnRf+Pfo

Score

10^/10

ads5 darkgate

Malware Config

Extracted

Family

darkgate

Botnet

ADS5

C2

http://sftp.bitepieces.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
443
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
KnqeTJUYsrnUBP
internal_mutex
txtMut
minimum_disk
40
minimum_ram
7000
ping_interval
4
rootkit
true
startup_persistence
true
username
ADS5

Signatures

Darkgate family
darkgate

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1056-126-0x0000000002E50000-0x000000000317A000-memory.dmp

Files

1056-126-0x0000000002E50000-0x000000000317A000-memory.dmp
.exe windows:4 windows x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 324KB - Virtual size: 324KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ