Malware Analysis Report

2024-11-13 14:53

Sample ID 231130-r63edada87
Target 30112023_2249_LightShot.dll
SHA256 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Tags
darkgate a11111 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03

Threat Level: Known bad

The file 30112023_2249_LightShot.dll was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-30 14:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-30 14:49

Reported

2023-11-30 14:51

Platform

win7-20231020-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2540 created 1172 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2540 created 1172 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2540 created 1172 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2540 created 1172 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2540 created 1284 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 trans1ategooglecom.com udp
US 8.8.8.8:53 trans1ategooglecom.com udp

Files

memory/1652-0-0x0000000002110000-0x00000000023D2000-memory.dmp

\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1652-7-0x0000000002110000-0x00000000023D2000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/2540-11-0x0000000000DA0000-0x00000000011A0000-memory.dmp

memory/2540-12-0x0000000002F90000-0x0000000003125000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2540-18-0x0000000002F90000-0x0000000003125000-memory.dmp

memory/2540-19-0x0000000002F90000-0x0000000003125000-memory.dmp

memory/2540-20-0x0000000002F90000-0x0000000003125000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-30 14:49

Reported

2023-11-30 14:51

Platform

win10v2004-20231127-en

Max time kernel

143s

Max time network

151s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 496 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 496 wrote to memory of 4580 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30112023_2249_LightShot.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/496-0-0x0000000002330000-0x00000000025F2000-memory.dmp

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/496-5-0x0000000002330000-0x00000000025F2000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/4580-8-0x0000000000E50000-0x0000000001250000-memory.dmp

memory/4580-10-0x0000000003F90000-0x0000000004125000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4580-16-0x0000000003F90000-0x0000000004125000-memory.dmp

memory/4580-17-0x0000000003F90000-0x0000000004125000-memory.dmp

memory/4580-18-0x0000000003F90000-0x0000000004125000-memory.dmp