Malware Analysis Report

2024-11-13 14:53

Sample ID 231202-k761mabc26
Target 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll
SHA256 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
Tags
darkgate a11111 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03

Threat Level: Known bad

The file 90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll was found to be: Known bad.

Malicious Activity Summary

darkgate a11111 stealer

DarkGate

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-02 09:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-02 09:15

Reported

2023-12-02 09:18

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

DarkGate

stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2884 created 1236 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2884 created 1336 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe
PID 2884 created 1236 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2884 created 1236 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\taskhost.exe
PID 2884 created 1336 N/A \??\c:\tmpp\Autoit3.exe C:\Windows\system32\Dwm.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

N/A

Files

memory/1388-0-0x0000000002120000-0x00000000023E2000-memory.dmp

\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1388-7-0x0000000002120000-0x00000000023E2000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/2884-12-0x0000000002F40000-0x00000000030D5000-memory.dmp

memory/2884-11-0x00000000006E0000-0x0000000000AE0000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2884-19-0x0000000002F40000-0x00000000030D5000-memory.dmp

memory/2884-18-0x0000000002F40000-0x00000000030D5000-memory.dmp

memory/2884-20-0x0000000002F40000-0x00000000030D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-02 09:15

Reported

2023-12-02 09:18

Platform

win10v2004-20231127-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\tmpp\Autoit3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpp\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpp\Autoit3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2808 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2808 wrote to memory of 3868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3868 wrote to memory of 4476 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 3868 wrote to memory of 4476 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe
PID 3868 wrote to memory of 4476 N/A C:\Windows\SysWOW64\rundll32.exe \??\c:\tmpp\Autoit3.exe

Processes

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#1

\??\c:\tmpp\Autoit3.exe

c:\tmpp\Autoit3.exe c:\tmpp\test.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 34.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\tmpp\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3868-4-0x0000000000400000-0x00000000006C2000-memory.dmp

\??\c:\tmpp\test.au3

MD5 dbd1ca08a1b009d1abab3def6ffa967b
SHA1 f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA256 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA512 6b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb

memory/4476-7-0x0000000001350000-0x0000000001750000-memory.dmp

memory/4476-9-0x0000000004290000-0x0000000004425000-memory.dmp

\??\c:\tmpp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4476-16-0x0000000004290000-0x0000000004425000-memory.dmp

memory/4476-15-0x0000000004290000-0x0000000004425000-memory.dmp

memory/4476-17-0x0000000004290000-0x0000000004425000-memory.dmp