Analysis
-
max time kernel
87s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
01-12-2023 18:16
General
-
Target
Lightshot.exe
-
Size
487KB
-
MD5
1e1c83b9680029ad4a9f8d3b3ac93197
-
SHA1
fa7b69793454131a5b21b32867533305651e2dd4
-
SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
-
SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136
-
SSDEEP
12288:cl1dT6lwApgXttZmPdsfkmDU3pRQa/JSQE:Q1d0wVmPdsfkP3zQa/JSH
Malware Config
Extracted
darkgate
A11111
http://trans1ategooglecom.com
http://saintelzearlava.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
XiOwgXyDLNDEpj
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"C:\Users\Admin\AppData\Local\Temp\Lightshot.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\test.au32⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5cb7ec6c3e69865e46e49a684146e6564
SHA1a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA25664bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA51261fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0
-
Filesize
872KB
MD5cb7ec6c3e69865e46e49a684146e6564
SHA1a0e464b16936f21bbd9100b9f46a52a10cd2d3e7
SHA25664bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
SHA51261fe7fa083f82a207c6a464d0b946d97f050c7cea9ee944e56ff7f5ad87e6ff638052d4809aea9fe01591d5346d19f2b7231c36ca94d61778edb15d89efc16b0
-
Filesize
492KB
MD5dbd1ca08a1b009d1abab3def6ffa967b
SHA1f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA2561744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA5126b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb
-
Filesize
4.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
2.8MB
-
Filesize
2.8MB