Overview

overview

10

Static

static

1

IAEZWL.js

windows7-x64

8

IAEZWL.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15112023_2001_XKEJA.zip

  • Size

    67KB

  • Sample

    231115-n659gsbh9x

  • MD5

    23bad56daa0c8c1b3eb1b6e2cf7481f5

  • SHA1

    f7cd1493b5b9589339484af451aa271a65981c32

  • SHA256

    e1db6be2a28b6ae3be19732c0c0caf51ae9dfe5db9907e7bdff58b09e5d3c629

  • SHA512

    fe1234aeea23d09e91fe59df26721b850d123743f1ee4cf81de22d197257d8069ba73348a453a5a002ba39307dd6c621b759f8375196ae658bd3e231d8958035

  • SSDEEP

    1536:x2LY/m7c+C2BWCrb1ckCms/Pw2qFUlNtOmascDhuHzRgbj9uh:kLYe7rfrb1cZmcPDvLascDhAO4

Score
10/10
darkgatea11111stealer

Malware Config

Extracted

Family

darkgate

Botnet

A11111

C2

http://faststroygo.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_rawstub

    true

  • crypto_key

    sYEvPOjQglaHah

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    A11111

Targets

    • Target

      IAEZWL.js

    • Size

      237KB

    • MD5

      ea6fd6ca47514d9c632c119d73aef528

    • SHA1

      0d47cbd6d19a17a57077cbc0d0aa659865458672

    • SHA256

      c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde

    • SHA512

      e20079b69e82eb48222635ef03a6f935871ea69f6d7715401ac208bbbb33a5af7fcb8c6c745364b31c2ee07e3f4bf2e5e5c2d1ae6ae87b795fa23230ead290ec

    • SSDEEP

      6144:k7hgXeerjqlI2Iro+Qqn7hgXeerjqlI2Iro+JGxw:ehgSlI23W7hgSlI23Ct

    Score
    10/10
    darkgatea11111stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks