General
-
Target
1f70fb6ce081900dbf96b51204bd1ea3.bin
-
Size
67KB
-
Sample
231117-bphqmscg63
-
MD5
128013416b4ad21ef1f36d01035561e3
-
SHA1
820bda67df694518e873f24d588be34eda1aa986
-
SHA256
b38ee2e7c26b5754c2a6e2012f461309566fb5033f1cd2a9e11e60b5ea0c5132
-
SHA512
34290d387c9bd1144409bfecc32977ae38e1ffef0e592ac9801d0ea4d9ee376f08b4e1e6794c362bdfdb97825768f6b2be3505ee3effe04eb6a67b7003a5d40b
-
SSDEEP
1536:R0qTK8b1QDayE9h4tajsoLnI2eb4HiZvYN3KTfVqKlmNhl:aqG8b1QDPE9hEajhI2sZJYN3MfV8f
Malware Config
Extracted
darkgate
A11111
http://faststroygo.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
sYEvPOjQglaHah
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Targets
-
-
Target
JNVEEN.js
-
Size
237KB
-
MD5
ea6fd6ca47514d9c632c119d73aef528
-
SHA1
0d47cbd6d19a17a57077cbc0d0aa659865458672
-
SHA256
c788100411c38388afc3438dccc05297ac7a77083f579e4a7e8d6e1479214fde
-
SHA512
e20079b69e82eb48222635ef03a6f935871ea69f6d7715401ac208bbbb33a5af7fcb8c6c745364b31c2ee07e3f4bf2e5e5c2d1ae6ae87b795fa23230ead290ec
-
SSDEEP
6144:k7hgXeerjqlI2Iro+Qqn7hgXeerjqlI2Iro+JGxw:ehgSlI23W7hgSlI23Ct
Score10/10-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-