darkgate | 2888922c2d748ea0498725011645efb6d4f35c858e3a158d58357df12a5e63cc | Triage

Sharing

General

Target

21112023_0057_Wire_Transfer_Recipient.pdf.zip
Size

1KB
Sample

231120-vgpc1ahb94
MD5

73b95b8bef785049a9ab5fc9410a6326
SHA1

bb21c11f9b44472f87ae69cb1dcac1934f738353
SHA256

2888922c2d748ea0498725011645efb6d4f35c858e3a158d58357df12a5e63cc
SHA512

b68ddf5bbf99e711c0c66b6a40b69d0f95efb9fc1d0dba8f9928e6765bb6ebd21e16eadeb15a100df10ebb5dbd08106edbea02f439417db344a014e960801cfc

Score

10^/10

darkgate rockyoudragon stealer

Malware Config

Extracted

Family

darkgate

Botnet

rockyoudragon

C2

http://188.246.224.221

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
jHsOoiOBxlimUu
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
rockyoudragon

Targets

- Target
  
  Screenshot_20_11_2023-4839.png.lnk
- Size
  
  1KB
- MD5
  
  d3d3ffd5ffa81dcdef3cf7e606562d4c
- SHA1
  
  dc86ae5e975f08d86052208dbaf182d55e8aedfc
- SHA256
  
  3ee01212c840eaee1d11c78169d1deb7f9fa133cbb12f105918328f36afdd971
- SHA512
  
  075e69dd2a59ab7da5eb9e03b1753cd6870b2958c3998887e150cd2182aadfbdd90038fc8b88b49a64a9b7896b002057c73b0b7ae952856b43d8159006f6527e
Score

10^/10

darkgate rockyoudragon stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  Wire_Transfer_Recipient.pdf.lnk
- Size
  
  1KB
- MD5
  
  65333dee897813812caf650a2c6997c7
- SHA1
  
  8eda0e9a054f635152c3cf1af9f01c01e925157d
- SHA256
  
  2aa219e648895ec611aa69f1a484c8e58866aa5f4c0ba020a65443b819d20c25
- SHA512
  
  ce2ece91a46a9369de9730de5326e98c6479df7b7dcf6c7c7d2af600f9f25ee03ddf9a36cfdd9c47e985184c071d1a8558fdda9253ac566afbdd1aaf25b76d14
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgaterockyoudragonstealer

behavioral3

behavioral4