Malware Analysis Report

2024-11-13 14:53

Sample ID 231201-g8mftsfe29
Target 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
SHA256 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Tags
darkgate a11111 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03

Threat Level: Known bad

The file 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03 was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 06:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 06:28

Reported

2023-12-01 06:31

Platform

win10-20231023-en

Max time kernel

127s

Max time network

132s

Command Line

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1240 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 1240 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 1240 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe

Processes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe

"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/1240-0-0x0000000003EB0000-0x0000000004172000-memory.dmp

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1240-5-0x0000000003EB0000-0x0000000004172000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/212-9-0x00000000014C0000-0x00000000018C0000-memory.dmp

memory/212-10-0x0000000003E90000-0x0000000004025000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/212-17-0x0000000003E90000-0x0000000004025000-memory.dmp

memory/212-16-0x0000000003E90000-0x0000000004025000-memory.dmp

memory/212-19-0x0000000003E90000-0x0000000004025000-memory.dmp