darkgate

General

Target

6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d.msi
Size

8.5MB
Sample

231110-1xa37sge59
MD5

fbf5d7b4c5f0e86a95b4fcd5c5ccc534
SHA1

51588315ff4ae36412c337361ea65f84810938d8
SHA256

6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
SHA512

3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
SSDEEP

196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://148.113.1.180:8080/CD.hta

Extracted

Family

darkgate

Botnet

PLEX

C2

http://jordanmikejeforse.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
yIzFYincIffips
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

supera

C2

77.91.124.82:19071

Extracted

Family

redline

Botnet

wolfa

C2

77.91.124.55:19071

Targets

- Target
  
  6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d.msi
- Size
  
  8.5MB
- MD5
  
  fbf5d7b4c5f0e86a95b4fcd5c5ccc534
- SHA1
  
  51588315ff4ae36412c337361ea65f84810938d8
- SHA256
  
  6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
- SHA512
  
  3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
- SSDEEP
  
  196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8
Score

10^/10

darkgate dcrat mystic redline smokeloader plex supera wolfa backdoor discovery infostealer macro persistence rat stealer trojan upx
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Blocklisted process makes network request
- Suspicious Office macro
  Office document equipped with macros.
  macro
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1