Malware Analysis Report

2024-11-13 14:53

Sample ID 231201-g5qzvafe91
Target Lightshot(1).dll
SHA256 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Tags
darkgate a11111 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03

Threat Level: Known bad

The file Lightshot(1).dll was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 06:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 06:23

Reported

2023-12-01 06:26

Platform

win10v2004-20231127-en

Max time kernel

141s

Max time network

148s

Command Line

sihost.exe

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3984 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3984 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 3796 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 3796 wrote to memory of 1108 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot(1).dll,#1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot(1).dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3796-0-0x0000000002240000-0x0000000002502000-memory.dmp

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3796-5-0x0000000002240000-0x0000000002502000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/1108-9-0x00000000014D0000-0x00000000018D0000-memory.dmp

memory/1108-10-0x00000000045E0000-0x0000000004775000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1108-16-0x00000000045E0000-0x0000000004775000-memory.dmp

memory/1108-17-0x00000000045E0000-0x0000000004775000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 06:23

Reported

2023-12-01 06:26

Platform

win7-20231023-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2964 created 1176 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 2964 created 1176 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 2964 created 1176 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 2964 created 1136 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2964 created 1136 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot(1).dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot(1).dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 trans1ategooglecom.com udp

Files

memory/1380-0-0x0000000001DB0000-0x0000000002072000-memory.dmp

\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1380-7-0x0000000001DB0000-0x0000000002072000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/2964-12-0x00000000030B0000-0x0000000003245000-memory.dmp

memory/2964-11-0x0000000000CE0000-0x00000000010E0000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2964-18-0x00000000030B0000-0x0000000003245000-memory.dmp

memory/2964-19-0x00000000030B0000-0x0000000003245000-memory.dmp

memory/2964-20-0x00000000030B0000-0x0000000003245000-memory.dmp