darkgate | c8711d9c9c0ea4201bd28cc83da804b193fe9b87ff9bd55be3e7ed13b675b2d4

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21112023_0058_leaf_drkgate.exe
Size

405KB
MD5

16fa94fee40b0cf3b8f295c4b0f79a5f
SHA1

ada58a52f52d59514dded5c9ee8fd776e668247e
SHA256

c8711d9c9c0ea4201bd28cc83da804b193fe9b87ff9bd55be3e7ed13b675b2d4
SHA512

2dfb36d0118ed796172ed80885553c7a20e02c6b22429f8e052f1351334cdca6b26aa5d921929157024d6cf0e240205fd0217286b0d0298ee0c96e77f8f7680e
SSDEEP

6144:m5UHKhp9UQpT0E3OWRytzcUE/Gm1GML4xVHbzKlogClfwkJKbbY:QUHKJ0E3OWRytCn3L4xJbmlogClokJL

Score

10^/10

darkgate rockyoudragon stealer

Malware Config

Extracted

Family

darkgate

Botnet

rockyoudragon

http://188.246.224.221

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
jHsOoiOBxlimUu
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
rockyoudragon

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2460 created 1128	2460	21112023_0058_leaf_drkgate.exe	15
PID 2460 created 1224	2460	21112023_0058_leaf_drkgate.exe	20
PID 2460 created 1224	2460	21112023_0058_leaf_drkgate.exe	20
PID 2460 created 1128	2460	21112023_0058_leaf_drkgate.exe	15
PID 2460 created 1224	2460	21112023_0058_leaf_drkgate.exe	20

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21112023_0058_leaf_drkgate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	21112023_0058_leaf_drkgate.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe
2460	21112023_0058_leaf_drkgate.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\21112023_0058_leaf_drkgate.exe
"C:\Users\Admin\AppData\Local\Temp\21112023_0058_leaf_drkgate.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2460-2-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2460-3-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2460-4-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2460-5-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2460-7-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2460-9-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download