Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-12-2023 01:47
General
-
Target
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll
-
Size
2.7MB
-
MD5
6376c4e1fa2dcb1c73f178b675ea5840
-
SHA1
c46e52b896bf3b53a6878d2b2386a9dc40377f19
-
SHA256
90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03
-
SHA512
d967d2e60b743bd57489c9edd0cf9d820d0ea749402be2dcb7b2e14a82828aa4c981b9fa32470d9f5fb208152e673eb3b9daf0485c53680548f5ea2619537494
-
SSDEEP
24576:dHZrhn7olvHbxA7qQCzt/s7ry5SnCo44Bg85mwFXyEOdT1ZAIe9ae/K4wMIQb6Vo:dpqt7sU9s7r/HvCKPP
Malware Config
Extracted
darkgate
5.2.8
A11111
http://trans1ategooglecom.com
http://saintelzearlava.com
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
true
-
crypto_key
XiOwgXyDLNDEpj
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
A11111
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
DarkGate后门Payload 4 IoCs
DarkGate.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90e38d684c63fee4e5d7bdd16c4409022bf9edfc7cf266b9e49936962ce37b03.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpp\Autoit3.exec:\tmpp\Autoit3.exe c:\tmpp\test.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\tmpp\Autoit3.exeFilesize
64KB
MD5c20ac95a96af05227875d7060bfb9fc2
SHA126d2c5d5774731f7ee49636f692bf1712530e8fe
SHA25600457e22fc18fa4adc06c0b52d008a1b9e117176df4b8a56e71586eeae74146c
SHA512d305eea0f714d0de07a8b49ea295c7eaba5aed5e9812a604a2c5f39bf1f85f9df0544bd64d7ee2cf7be6b6937ecb917ac851bf2b0585d17c6932b591cf007fc8
-
\??\c:\tmpp\AutoIt3.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\??\c:\tmpp\test.au3Filesize
492KB
MD5dbd1ca08a1b009d1abab3def6ffa967b
SHA1f05c604a879c9396f93f6857f84d6ba58734ae0f
SHA2561744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
SHA5126b28d83aee4eb2b219ed4e665f09bda8d32250b6b2d2a74b2f56243ce60b1a49aa570050b752bcbc27c4deff373d0ca8a6d968714813223648ec58c0a0f7d2cb
-
\tmpp\Autoit3.exeFilesize
530KB
MD5e549d4003bb87a9b23779d4442507a2a
SHA17fcebd70ef26c6109b9a10a288d644041d0c7441
SHA2562318c8f4bdb0be8a902b2be4f8353b943f52ae3c54ecd8026b35aab856461079
SHA512850e28154259ae3e4c14150ed995ceca4c7bb145d9b58d34d0732e3a9fae9125cd6e605c954adc944cec18ca16585b5c9e7c3d6ebbc903545397ba7f0fb236b7
-
memory/1912-11-0x0000000000790000-0x0000000000B90000-memory.dmpFilesize
4.0MB
-
memory/1912-12-0x0000000003070000-0x0000000003205000-memory.dmpFilesize
1.6MB
-
memory/1912-18-0x0000000003070000-0x0000000003205000-memory.dmpFilesize
1.6MB
-
memory/1912-20-0x0000000003070000-0x0000000003205000-memory.dmpFilesize
1.6MB
-
memory/1912-19-0x0000000003070000-0x0000000003205000-memory.dmpFilesize
1.6MB
-
memory/3048-0-0x00000000022E0000-0x00000000025A2000-memory.dmpFilesize
2.8MB
-
memory/3048-7-0x00000000022E0000-0x00000000025A2000-memory.dmpFilesize
2.8MB