Overview

overview

10

Static

static

1

3d36c21c7f...4a.msi

windows7-x64

10

3d36c21c7f...4a.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5e5704e30401f1ba9906e382f6a7c684.bin

  • Size

    8.4MB

  • Sample

    231110-ccnlsshd7z

  • MD5

    8093209c04d23d46ee6d31c4aceb704f

  • SHA1

    ffc957eac233317d66ee7d724cd4bfed91a24650

  • SHA256

    9a6e9e43f806b09f54982ed2b438c3d46d9403ff5488d6649e0c5f08d6ce64f4

  • SHA512

    3f6a4c834cbd3ce8d820602ffd5cf5f56849b5a2cff8f1a792c3bde3277153375215702c47a9e96d46c40481a6bf001fc85ddbcde7a344055296c5addbac7c39

  • SSDEEP

    196608:/0mXLAHt+Y22kpsm+k5wMuozdwfV1eP10sOKmbKchSU/:MmXLutZ2V5/dPWKmuchv/

Score
10/10
darkgateplexdiscoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

C2

http://homeservicetreking.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    true

  • c2_port

    8443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    true

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    mnNxiNpBWVirQR

  • internal_mutex

    txtMut

  • minimum_disk

    20

  • minimum_ram

    6024

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    PLEX

Targets

    • Target

      3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a.msi

    • Size

      8.5MB

    • MD5

      5e5704e30401f1ba9906e382f6a7c684

    • SHA1

      f3d67076e491ab59f33a06afcd00a42d9a344711

    • SHA256

      3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a

    • SHA512

      a83c23efb0cc54a666a322a8d492c53ea9fc5a2de9b53dfadaab7d98724fcb53c93edbddb174f381e02e9cc47b0a4ba5bb217ce01069937c6e4bdd1a7dedd514

    • SSDEEP

      196608:xeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9lqFM2CMhimhs4W:xdhVs6WXjX9HZ5AQX32WDuqRCMhif4W

    Score
    10/10
    darkgateplexdiscoverystealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks