Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
-
submitted
01/12/2023, 06:28
General
-
Target
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll
-
Size
2.7MB
-
MD5
6376c4e1fa2dcb1c73f178b675ea5840
-
SHA1
c46e52b896bf3b53a6878d2b2386a9dc40377f19
-
SHA256
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
-
SHA512
d967d2e60b743bd57489c9edd0cf9d820d0ea749402be2dcb7b2e14a82828aa4c981b9fa32470d9f5fb208152e673eb3b9daf0485c53680548f5ea2619537494
-
SSDEEP
24576:dHZrhn7olvHbxA7qQCzt/s7ry5SnCo44Bg85mwFXyEOdT1ZAIe9ae/K4wMIQb6Vo:dpqt7sU9s7r/HvCKPP
Malware Config
Extracted
darkgate
A11111
http://trans1ategooglecom.com
http://saintelzearlava.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
XiOwgXyDLNDEpj
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\test.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
492KB
MD5dbd1ca08a1b009d1abab3def6ffa967b
SHA1f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA2561744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA5126b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb
-
Filesize
4.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.8MB
-
Filesize
2.8MB