General
-
Target
15112023_2001_XKEJA.zip
-
Size
67KB
-
Sample
231115-n659gsbh9x
-
MD5
23bad56daa0c8c1b3eb1b6e2cf7481f5
-
SHA1
f7cd1493b5b9589339484af451aa271a65981c32
-
SHA256
e1db6be2a28b6ae3be19732c0c0caf51ae9dfe5db9907e7bdff58b09e5d3c629
-
SHA512
fe1234aeea23d09e91fe59df26721b850d123743f1ee4cf81de22d197257d8069ba73348a453a5a002ba39307dd6c621b759f8375196ae658bd3e231d8958035
-
SSDEEP
1536:x2LY/m7c+C2BWCrb1ckCms/Pw2qFUlNtOmascDhuHzRgbj9uh:kLYe7rfrb1cZmcPDvLascDhAO4
Malware Config
Extracted
darkgate
A11111
http://faststroygo.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
sYEvPOjQglaHah
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Targets
-
-
Target
IAEZWL.js
-
Size
237KB
-
MD5
ea6fd6ca47514d9c632c119d73aef528
-
SHA1
0d47cbd6d19a17a57077cbc0d0aa659865458672
-
SHA256
c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde
-
SHA512
e20079b69e82eb48222635ef03a6f935871ea69f6d7715401ac208bbbb33a5af7fcb8c6c745364b31c2ee07e3f4bf2e5e5c2d1ae6ae87b795fa23230ead290ec
-
SSDEEP
6144:k7hgXeerjqlI2Iro+Qqn7hgXeerjqlI2Iro+JGxw:ehgSlI23W7hgSlI23Ct
Score10/10-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-