darkgate | 109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6

General

Target

Lightshot.dll
Size

2.7MB
MD5

d25a5b444336b66cc5f36437701b896b
SHA1

03a831d6c603b8ad1cc7b6c9fd1e6195bce56e4f
SHA256

6866488e8882873a60d2d94e3eb224ab005a5b9e9053146d2b6601b520673929
SHA512

6c45648054c0105df984be41bdc3a1124065976c2b5647e8c0b0ed7b98eb77208ec5527392c889c3b6bf33018d449f8cc625f7b37f04c7bdf47038ba95d8a473
SSDEEP

24576:dHZrhn7olvHbxA7qQCzt/s7ry5SnCo44Bg85mwFXyEOdT1ZAIe9ae/K4wMIQb6VF:dpqt7sU9s7r/HvCKPy

Score

10^/10

darkgate a11111 stealer

Malware Config

Extracted

Family

darkgate

Botnet

A11111

C2

http://trans1ategooglecom.com

http://saintelzearlava.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
XiOwgXyDLNDEpj
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
A11111

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2464 created 3840	2464	Autoit3.exe	14
PID 2464 created 2840	2464	Autoit3.exe	43
PID 2464 created 3952	2464	Autoit3.exe	34
PID 2464 created 3860	2464	Autoit3.exe	10
PID 2464 created 3860	2464	Autoit3.exe	10

Executes dropped EXE 1 IoCs

pid	Process
2464	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe
2464	Autoit3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 552	4304	rundll32.exe	85
PID 4304 wrote to memory of 552	4304	rundll32.exe	85
PID 4304 wrote to memory of 552	4304	rundll32.exe	85
PID 552 wrote to memory of 2464	552	rundll32.exe	88
PID 552 wrote to memory of 2464	552	rundll32.exe	88
PID 552 wrote to memory of 2464	552	rundll32.exe	88

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3840

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - \??\c:\tmpp\Autoit3.exe
    c:\tmpp\Autoit3.exe c:\tmpp\test.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2464

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3952

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
cb7ec6c3e69865e46e49a684146e6564

SHA1
a0e464b16936f21bbd9100b9f46a52a10cd2d3e7

SHA256
64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343

SHA512
61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

Download Submit
\??\c:\tmpp\AutoIt3.exe

Filesize
872KB

MD5
cb7ec6c3e69865e46e49a684146e6564

SHA1
a0e464b16936f21bbd9100b9f46a52a10cd2d3e7

SHA256
64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343

SHA512
61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

Download Submit
\??\c:\tmpp\test.au3

Filesize
492KB

MD5
dbd1ca08a1b009d1abab3def6ffa967b

SHA1
f05c604a879c9396f93f6857f84d6ba58734ae0f

SHA256
1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1

SHA512
6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

Download Submit
memory/552-4-0x0000000000400000-0x00000000006C2000-memory.dmp

Filesize
2.8MB

Download
memory/2464-7-0x0000000001510000-0x0000000001910000-memory.dmp

Filesize
4.0MB

Download
memory/2464-9-0x0000000004660000-0x00000000047F5000-memory.dmp

Filesize
1.6MB

Download
memory/2464-15-0x0000000004660000-0x00000000047F5000-memory.dmp

Filesize
1.6MB

Download
memory/2464-16-0x0000000004660000-0x00000000047F5000-memory.dmp

Filesize
1.6MB

Download
memory/2464-18-0x0000000004660000-0x00000000047F5000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing