darkgate | 109aac8fd1994e580398ee91fce9a9e1ef39873566e601106ce2ad6be29e06a6

General

Target

Lightshot.exe
Size

487KB
MD5

1e1c83b9680029ad4a9f8d3b3ac93197
SHA1

fa7b69793454131a5b21b32867533305651e2dd4
SHA256

0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
SHA512

fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136
SSDEEP

12288:cl1dT6lwApgXttZmPdsfkmDU3pRQa/JSQE:Q1d0wVmPdsfkP3zQa/JSH

Score

10^/10

darkgate a11111 stealer

Malware Config

Extracted

Family

darkgate

Botnet

A11111

C2

http://trans1ategooglecom.com

http://saintelzearlava.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
XiOwgXyDLNDEpj
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
A11111

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

Autoit3.exe

description	pid	process	target process
PID 1660 created 2448	1660	Autoit3.exe	sihost.exe
PID 1660 created 4828	1660	Autoit3.exe	TextInputHost.exe
PID 1660 created 2800	1660	Autoit3.exe	taskhostw.exe
PID 1660 created 3960	1660	Autoit3.exe	SearchApp.exe
PID 1660 created 3804	1660	Autoit3.exe	StartMenuExperienceHost.exe

Executes dropped EXE 1 IoCs

Processes:

Autoit3.exe

pid process

1660 Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Autoit3.exe

pid	process
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe
1660	Autoit3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Lightshot.exe

description	pid	process	target process
PID 3812 wrote to memory of 1660	3812	Lightshot.exe	Autoit3.exe
PID 3812 wrote to memory of 1660	3812	Lightshot.exe	Autoit3.exe
PID 3812 wrote to memory of 1660	3812	Lightshot.exe	Autoit3.exe

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4828

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2800

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\Lightshot.exe
"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812

\??\c:\tmpp\Autoit3.exe
c:\tmpp\Autoit3.exe c:\tmpp\test.au3
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\tmpp\Autoit3.exe
Filesize
872KB

MD5
cb7ec6c3e69865e46e49a684146e6564

SHA1
a0e464b16936f21bbd9100b9f46a52a10cd2d3e7

SHA256
64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343

SHA512
61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

Download Submit
\??\c:\tmpp\AutoIt3.exe
Filesize
872KB

MD5
cb7ec6c3e69865e46e49a684146e6564

SHA1
a0e464b16936f21bbd9100b9f46a52a10cd2d3e7

SHA256
64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343

SHA512
61fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0

Download Submit
\??\c:\tmpp\test.au3
Filesize
492KB

MD5
dbd1ca08a1b009d1abab3def6ffa967b

SHA1
f05c604a879c9396f93f6857f84d6ba58734ae0f

SHA256
1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1

SHA512
6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

Download Submit
memory/1660-9-0x00000000016D0000-0x0000000001AD0000-memory.dmp

Filesize
4.0MB

Download
memory/1660-10-0x0000000004920000-0x0000000004AB5000-memory.dmp

Filesize
1.6MB

Download
memory/1660-17-0x0000000004920000-0x0000000004AB5000-memory.dmp

Filesize
1.6MB

Download
memory/1660-16-0x0000000004920000-0x0000000004AB5000-memory.dmp

Filesize
1.6MB

Download
memory/1660-19-0x0000000004920000-0x0000000004AB5000-memory.dmp

Filesize
1.6MB

Download
memory/3812-0-0x0000000003360000-0x0000000003622000-memory.dmp

Filesize
2.8MB

Download
memory/3812-5-0x0000000003360000-0x0000000003622000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads