darkgate | 109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6 | Triage

Sharing

General

Target

lightshot.zip
Size

1.5MB
Sample

231201-wwwlaseg51
MD5

251d830cd44bd0b81dd6c31a67140321
SHA1

0500129866371e77c82d0e35726fe36185a86970
SHA256

109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6
SHA512

5ca8429b52ae056a66d711b978266b17ddb3d18851987a52678f437b664c172f52bd1526bbf173b976a0860fd79b07bf7c78c8dbe530cdfc1a2a62bd08b765bf
SSDEEP

24576:VclvCK0BAwPyYFxAESZIMJ0gy0p5M/87dd4jXZkeUiTOYTXdoNgKb6JjHrKFWM51:4OvaYfAESygy0HMVjpkzOJdoBAjxM3

Score

10^/10

darkgate a11111 stealer

Malware Config

Extracted

Family

darkgate

Botnet

A11111

C2

http://trans1ategooglecom.com

http://saintelzearlava.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
XiOwgXyDLNDEpj
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
A11111

Targets

- Target
  
  Lightshot.dll
- Size
  
  2.7MB
- MD5
  
  d25a5b444336b66cc5f36437701b896b
- SHA1
  
  03a831d6c603b8ad1cc7b6c9fd1e6195bce56e4f
- SHA256
  
  6866488e8882873a60d2d94e3eb224ab005a5b9e9053146d2b6601b520673929
- SHA512
  
  6c45648054c0105df984be41bdc3a1124065976c2b5647e8c0b0ed7b98eb77208ec5527392c889c3b6bf33018d449f8cc625f7b37f04c7bdf47038ba95d8a473
- SSDEEP
  
  24576:dHZrhn7olvHbxA7qQCzt/s7ry5SnCo44Bg85mwFXyEOdT1ZAIe9ae/K4wMIQb6VF:dpqt7sU9s7r/HvCKPy
Score

10^/10

darkgate a11111 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  Lightshot.exe
- Size
  
  487KB
- MD5
  
  1e1c83b9680029ad4a9f8d3b3ac93197
- SHA1
  
  fa7b69793454131a5b21b32867533305651e2dd4
- SHA256
  
  0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
- SHA512
  
  fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136
- SSDEEP
  
  12288:cl1dT6lwApgXttZmPdsfkmDU3pRQa/JSQE:Q1d0wVmPdsfkP3zQa/JSH
Score

10^/10

darkgate a11111 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Suspicious use of NtCreateUserProcessOtherParentProcess
behavioral3 behavioral4
- Target
  
  lightshot.hta
- Size
  
  54KB
- MD5
  
  d4a2eb2ca3c9c631d7fe24550901187f
- SHA1
  
  adce21df1542c8867a8d3ee867ad963671290a9c
- SHA256
  
  06ad0a15ad23f80816d9388624a14712df3598f856a2360912dd98680374dbda
- SHA512
  
  68679a0176e4eec9f1239e497e8f279e4e857062a251fdd12201622a92c676ded89c3eea5aaa1085277dde3137a8278f3df7ea886342f99b3d7b60551fa9daa9
- SSDEEP
  
  768:+rZm+DbOMXv/8/kpd6T0IBCFLGD6nqY79EtVaJOr:+rZmSbOMXv/8gd6TlBCJGD6qY79EtVDr
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkgatea11111stealer

behavioral2

darkgatea11111stealer

behavioral3

darkgatea11111stealer

behavioral4

darkgatea11111stealer

behavioral5

behavioral6