Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
01-12-2023 18:16
General
-
Target
Lightshot.exe
-
Size
487KB
-
MD5
1e1c83b9680029ad4a9f8d3b3ac93197
-
SHA1
fa7b69793454131a5b21b32867533305651e2dd4
-
SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
-
SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136
-
SSDEEP
12288:cl1dT6lwApgXttZmPdsfkmDU3pRQa/JSQE:Q1d0wVmPdsfkP3zQa/JSH
Malware Config
Extracted
darkgate
A11111
http://trans1ategooglecom.com
http://saintelzearlava.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
XiOwgXyDLNDEpj
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\test.au32⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\tmpp\Autoit3.exeFilesize
872KB
MD5cb7ec6c3e69865e46e49a684146e6564
SHA1a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA25664bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA51261fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0
-
\??\c:\tmpp\AutoIt3.exeFilesize
872KB
MD5cb7ec6c3e69865e46e49a684146e6564
SHA1a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA25664bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA51261fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0
-
\??\c:\tmpp\test.au3Filesize
492KB
MD5dbd1ca08a1b009d1abab3def6ffa967b
SHA1f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA2561744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA5126b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb
-
\tmpp\Autoit3.exeFilesize
872KB
MD5cb7ec6c3e69865e46e49a684146e6564
SHA1a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA25664bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA51261fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0
-
memory/1120-11-0x0000000000730000-0x0000000000B30000-memory.dmpFilesize
4.0MB
-
memory/1120-12-0x0000000002F00000-0x0000000003095000-memory.dmpFilesize
1.6MB
-
memory/1120-18-0x0000000002F00000-0x0000000003095000-memory.dmpFilesize
1.6MB
-
memory/1120-19-0x0000000002F00000-0x0000000003095000-memory.dmpFilesize
1.6MB
-
memory/1940-0-0x0000000002480000-0x0000000002742000-memory.dmpFilesize
2.8MB
-
memory/1940-7-0x0000000002480000-0x0000000002742000-memory.dmpFilesize
2.8MB