darkgate | e3b3fe8bf91cbd4295f5d90496102c0db14d7ec1b536658ff83b7db1f4b0b228

Resubmissions

26-12-2023 08:41

231226-klnl6abhh2 10

19-11-2023 21:36

231119-1fyg6sbh52 10

Analysis

max time kernel
2s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c532f2594.msi
Size

8.5MB
MD5

fbf5d7b4c5f0e86a95b4fcd5c5ccc534
SHA1

51588315ff4ae36412c337361ea65f84810938d8
SHA256

6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
SHA512

3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
SSDEEP

196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.8

Botnet

PLEX

http://jordanmikejeforse.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
yIzFYincIffips
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1820	ICACLS.EXE
1984	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

DarkGate后门Payload 2 IoCs

DarkGate.

resource	yara_rule
behavioral1/memory/828-116-0x0000000002FB0000-0x0000000003145000-memory.dmp	DarkGate
behavioral1/memory/828-126-0x0000000002A90000-0x0000000002B90000-memory.dmp	DarkGate

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeCreateTokenPrivilege	2496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2496	msiexec.exe
Token: SeLockMemoryPrivilege	2496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2496	msiexec.exe
Token: SeMachineAccountPrivilege	2496	msiexec.exe
Token: SeTcbPrivilege	2496	msiexec.exe
Token: SeSecurityPrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeLoadDriverPrivilege	2496	msiexec.exe
Token: SeSystemProfilePrivilege	2496	msiexec.exe
Token: SeSystemtimePrivilege	2496	msiexec.exe
Token: SeProfSingleProcessPrivilege	2496	msiexec.exe
Token: SeIncBasePriorityPrivilege	2496	msiexec.exe
Token: SeCreatePagefilePrivilege	2496	msiexec.exe
Token: SeCreatePermanentPrivilege	2496	msiexec.exe
Token: SeBackupPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeShutdownPrivilege	2496	msiexec.exe
Token: SeDebugPrivilege	2496	msiexec.exe
Token: SeAuditPrivilege	2496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2496	msiexec.exe
Token: SeChangeNotifyPrivilege	2496	msiexec.exe
Token: SeRemoteShutdownPrivilege	2496	msiexec.exe
Token: SeUndockPrivilege	2496	msiexec.exe
Token: SeSyncAgentPrivilege	2496	msiexec.exe
Token: SeEnableDelegationPrivilege	2496	msiexec.exe
Token: SeManageVolumePrivilege	2496	msiexec.exe
Token: SeImpersonatePrivilege	2496	msiexec.exe
Token: SeCreateGlobalPrivilege	2496	msiexec.exe
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe
Token: SeBackupPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	3032	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c532f2594.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A55222B7002924C1DFC032C9E99927
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1984
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe"
    3⤵
    PID:2380
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "000000000000055C"
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files.cab

Filesize
118KB

MD5
048f46e15fcf8404794c50d0ab97421f

SHA1
9fd13439d65fd8eb0c4204b8b7a5b66ebbff33ad

SHA256
0808e31f647533733d93382c79d8215d38e5875e79167e32c35c2ba6beede925

SHA512
f60255af7f47f3bedd65ade383ab064ca56a4b5a56615fb9cd699a18389429f14e226505aaae1dbc73d6628b133513478b9e31aa6313ceff6211fd8ec01a7807

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\00004-~1.PNG

Filesize
99KB

MD5
824fa8bf7fc7eca764a5e6bfc7665688

SHA1
b2e1fc1c8d6307b7f4766be6b2c2eb5a7a9c913a

SHA256
5db25cd319bff6f449c4d31f6151eedf4e2f75cbcd093acb832e3782275ea175

SHA512
362cce6d768686276df3fe2e870d4d19dcc22c5f16aee4054e148c39623d2cbe1bc30a7f0552b2495d90471a77f2fff980903245bd5eafc7b5dc1d0204bdd839

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\00005-~1.PNG

Filesize
84KB

MD5
9dcacad3d5e4c96edf841532dfac4957

SHA1
05e888b68f903be3ca0cb7efde4c627d288ffe2f

SHA256
c31ba567fb5ab636f239fffece8fdb85258d72d03deb25e96192f73808fc9486

SHA512
68137aacea21567971bc7be1d878643643cb047f2a0fa5cf5fa0d1cdf02d7a8ea14d63e8cab0844726f487413db1cc51efd645d44561225284dfc2da68faa7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\00006-~1.PNG

Filesize
53KB

MD5
c4b29ec7df3872ff440438d8c37c7712

SHA1
f341324472bd8a6917d5f3ec653a1aceeaf0193f

SHA256
2eff3409dd5265905895912564be2b2af8f60cbfa18835eb09e81bde415426b6

SHA512
693fc4779ec8ae442950a14769a8a15f7cb302ef42e0acca9faf3aa1b5c300224a94786b7cf48dd8b0b1c4d367797053c8701b57b179c4b200697657bc55c478

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\00007-~1.PNG

Filesize
71KB

MD5
7fd80d347a83dd00dc82e0cd360ee9bf

SHA1
dc105e92ab5d360658ed149f92d95d2fda16b636

SHA256
5dc98bf473ee76e06b1811eeb971e310279f8bd551753b17b6b860162a0778aa

SHA512
a5e85be4411c8412ef612f0d79c1b33688ffdac8e16238e3ea1f8793be6297dadaf76f7621a31b2963e1721500663dd16ed66577031b60918b7c32d0d2af3d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\data.bin

Filesize
92KB

MD5
472526a8c742a25296b345509638c863

SHA1
345523ddcd3216cf060ce242071374614fc372a6

SHA256
5d7aace8eb61d1fb4553069d8501100d64abb9968b1f20f84f3d23c71dab1366

SHA512
8ab00a37557e6e92476a85ae8e5f71fa1a84e54a0e60e5f75eb553d12e145b17fd4b82b81cf2610435976c828f29865df41c4cddc2224e55dfa0edf7375f67f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\data2.bin

Filesize
187KB

MD5
057f7f48337edff1e04fd9d11c538c20

SHA1
c85ca3135f944f0289c90a65233de616d18a3c7c

SHA256
5ce393e613100eb09268150807a935459d86479f11be4bf5de280a8a864dc673

SHA512
566b4fce7e17b59132a024429d94a0fa8588b9af72e967e7a630a8dd15608462414ca83610d720a8aad5d804d49e572aa98e17313a70546b7a30de5382e0d2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\dbgeng.dll

Filesize
17KB

MD5
6e474ecca8d70a3de5a9a00105c26d96

SHA1
24e2be33b35a9495c6ffe22481bf711ba3d213c7

SHA256
a7c3c5312711b8e850074640cf621fbefc89e0e443f87e7d7c7d47ca5837c88f

SHA512
86e486e95cc61cd6226033b4c122f5d9f71518257b1596c6ede8f4b44da9a4c6c28b06b06a4562d24cea88bd38344412cd9f51c0db7d389a7c5a57d3904b097a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
81KB

MD5
551fb2cfff2c9adcedd3f785f663b46a

SHA1
1d80c42bb4b0487c06ae0b321a20bcfbc7ca418a

SHA256
58c1bd16711b423b0e400be2ba8b19e5e1a8b9a0ff0600013b4b61c6dc452f02

SHA512
7d31caab36eaa5f97828642d168cc7177c725908f8c01279ada570f88e8b839b46fa41f3f6f6564c7b8750f410e46180297c0d01b45af06cf4c8897c748b3b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
40KB

MD5
ee51f3ed08c770f00b82857a4b853312

SHA1
3d9571c9ce009ca3aafd1d3d2a457a0354e45190

SHA256
a99d9e567da9ca074bf25d09320c7c1e31c281ee451e5101dac08249f4a4017f

SHA512
c81f99b3ac683b0583991571ccbbf45200ece9adaac31265767e5a17070bec5a4f390a9e8fbe958f399cd4d9f6f90567aca920cb72b37dce48b31d1d62654827

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\msiwrapper.ini

Filesize
1KB

MD5
d3381536305eeb1fb8f7474c81d91fd5

SHA1
028d87745b3c2e96f2eb1b049c6957c6b877d98d

SHA256
401e09df35fea91ed60165190e938cc185ebffb7ae5d34a372389677b268b173

SHA512
d86b2c1e357134e3a881bdb9f1f1633a022626387ff5cbd53d3ce58e32919c1dc4cea21d461f6de75da32ce40cd5a9d337da12ca2b1915089cf8c2c9dff53ebd

Download Submit
C:\Windows\Installer\MSI25E8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
153KB

MD5
4787df44fffab257f621ddaaa7cc0f8e

SHA1
2974bd9a2fe440e14229f4854cebf15c38a5564c

SHA256
f29f96108bd40ec041e401d9773c912a9184d54ab4bef102828e42afbf6cebbf

SHA512
fc058dc6bf4b95bcb60e2292599e98401a6ae24bb0d74331988c3ac95907b7b86e4aa4a91db59516c01961a9017e11e8ba19969811c85ac79b133522d79cfb2d

Download Submit
\??\c:\tmpa\script.au3

Filesize
93KB

MD5
67a48682b87b3e32da7abeb6249e675c

SHA1
7941980e6a03f373db52afae823548738224e335

SHA256
a318341960563244eca52dda098aa69d382019d6aba7ddd984d3e752437ce26c

SHA512
e9216bf90764c4c872a171e63366b0e0f6d5168f3426d250c4ad9a07a32ddb4b5eb56070b4e8446979aa76d8b2ee1ba9be7f6c0fde070b110adb357b1a7c1b76

Download Submit
\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\dbgeng.dll

Filesize
178KB

MD5
cc45f85540d9e435098cb5eaee5e3b6f

SHA1
6cc02086b3bd4441ef23b09b47db84226aa8e151

SHA256
366114e7560bdd93a329f194baf39f9e8ce226e6136e01ed094095fd93be42b2

SHA512
94aeceddd6f3259fa20f3929288fd5ca27b44b637f838ae204532195fae126825df8bae2924383465dbc638469a5b956a4947523623802cbca62975dc7370c3d

Download Submit
\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
58KB

MD5
28a6b6f81a4ef2b6a266dad98f2c3fe5

SHA1
651040a45e44bf18ac9ddb5f66d8cadce9781292

SHA256
dd594dde1e3be00e817ef7e18b28d9ec451d1dbdadb983570be4f1f15a1136e8

SHA512
c7af14723ed9b2d7bd0f504337af484c3ec0cb3e434c6f84f25423d5184b0abc1a1c8fb2dac438d2daa24c42ef362cd1a2b7e87ca7efd188e0697bf25707c3b8

Download Submit
\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
60KB

MD5
a945a3fc3d7a851ebcbe8b903bbc8486

SHA1
6dd105c466fef3169a54b4c15dd9824b5b243e2e

SHA256
18d7d08df9ecbb3d15c6aeee3abbc948c117e0db5ef8236a83947595b2d4719e

SHA512
ed2ecac10a9241a1c688ec33ba3d935887c3c0f087255402edc379faa6826b1cd4fba0a358756e1703dd32b7ee40e75309a1faeb29171a888b447dd3b9cdf9c6

Download Submit
\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
45KB

MD5
3a2f365206cf3624f36026298970c803

SHA1
8116a50ffa68c7734d013503b2d791b8a5879297

SHA256
6b065c6fd4e7c74e6799ff3d3c6b379ec98f84c41443a55e417cd5697426492a

SHA512
3cc05502ab26f480956fcecf153cf327979fae5fab77cc33965668cea877d487d743723af8f06b711ce7057a91d04b42f2ff2447e3ea224afec204f4ec4f8c95

Download Submit
\Users\Admin\AppData\Local\Temp\MW-9796cfc0-78db-4506-a3c7-acefecc4f1f1\files\windbg.exe

Filesize
58KB

MD5
aa87c45e378d6e6ff9bcef687adf5866

SHA1
bd5a1a03edd7b6b54ec4ff8872a9904bdfafb01e

SHA256
d2971cb1f8047740fbfe2047356411d926d9d786426cab8fd9f0f9edd92fd447

SHA512
a8c5eeed92f33ed58b7efc77676099ec94b75c7229c2870f1a01bb33e68000f1f47c716262de3da11251234ba7395cf0e6e1bcb808d6e3bac3819b316568669d

Download Submit
\Windows\Installer\MSI25E8.tmp

Filesize
178KB

MD5
011276af8c121e4646dcf077c0a0d152

SHA1
c91ab6b720d1c107cc896fc9328fc3641d31a9c5

SHA256
737b6174d4b0740238f355c3718c32ff38d2ff672824d6373f3b40524beecf9f

SHA512
6bfd72a0c8a3ab81965c1b1fe07c624adc996a331e120f327b67280dc5ba38ffb651f47caac9542c76d03bc623f70f845f14673af3523ba81e3a59534193b776

Download Submit
\tmpa\Autoit3.exe

Filesize
79KB

MD5
4b6c883112689c50d2c70e5988d15205

SHA1
0cb0495c5d67a2c38c591e999f6abf65c62aa2da

SHA256
c605127c65aa375ea0d55f182ae157c65d3fe455ae31fc39e26bcc862918d507

SHA512
40545562081ebc0dcf860f101cf71e4b2badc9b3253f8508fce65ba9a43b458054827e174e5c344162c9615ad3fca34c68d7e9b46c9e6b2628213b653b3328bf

Download Submit
memory/828-114-0x0000000002A90000-0x0000000002B90000-memory.dmp

Filesize
1024KB

Download
memory/828-115-0x0000000002A90000-0x0000000002B90000-memory.dmp

Filesize
1024KB

Download
memory/828-116-0x0000000002FB0000-0x0000000003145000-memory.dmp

Filesize
1.6MB

Download
memory/828-126-0x0000000002A90000-0x0000000002B90000-memory.dmp

Filesize
1024KB

Download
memory/2380-95-0x0000000000640000-0x0000000000840000-memory.dmp

Filesize
2.0MB

Download
memory/2380-105-0x0000000000640000-0x0000000000840000-memory.dmp

Filesize
2.0MB

Download
memory/2380-106-0x0000000000420000-0x00000000004AA000-memory.dmp

Filesize
552KB

Download
memory/2380-98-0x0000000000420000-0x00000000004AA000-memory.dmp

Filesize
552KB

Download