darkgate | e3b3fe8bf91cbd4295f5d90496102c0db14d7ec1b536658ff83b7db1f4b0b228

Resubmissions

26-12-2023 08:41

231226-klnl6abhh2 10

19-11-2023 21:36

231119-1fyg6sbh52 10

Analysis

max time kernel
0s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c532f2594.msi
Size

8.5MB
MD5

fbf5d7b4c5f0e86a95b4fcd5c5ccc534
SHA1

51588315ff4ae36412c337361ea65f84810938d8
SHA256

6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
SHA512

3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
SSDEEP

196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.8

Botnet

PLEX

http://jordanmikejeforse.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
yIzFYincIffips
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2280	ICACLS.EXE
4360	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

DarkGate后门Payload 1 IoCs

DarkGate.

resource	yara_rule
behavioral2/memory/392-108-0x00000000043D0000-0x0000000004565000-memory.dmp	DarkGate

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4992	msiexec.exe
Token: SeSecurityPrivilege	744	msiexec.exe
Token: SeCreateTokenPrivilege	4992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4992	msiexec.exe
Token: SeLockMemoryPrivilege	4992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4992	msiexec.exe
Token: SeMachineAccountPrivilege	4992	msiexec.exe
Token: SeTcbPrivilege	4992	msiexec.exe
Token: SeSecurityPrivilege	4992	msiexec.exe
Token: SeTakeOwnershipPrivilege	4992	msiexec.exe
Token: SeLoadDriverPrivilege	4992	msiexec.exe
Token: SeSystemProfilePrivilege	4992	msiexec.exe
Token: SeSystemtimePrivilege	4992	msiexec.exe
Token: SeProfSingleProcessPrivilege	4992	msiexec.exe
Token: SeIncBasePriorityPrivilege	4992	msiexec.exe
Token: SeCreatePagefilePrivilege	4992	msiexec.exe
Token: SeCreatePermanentPrivilege	4992	msiexec.exe
Token: SeBackupPrivilege	4992	msiexec.exe
Token: SeRestorePrivilege	4992	msiexec.exe
Token: SeShutdownPrivilege	4992	msiexec.exe
Token: SeDebugPrivilege	4992	msiexec.exe
Token: SeAuditPrivilege	4992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4992	msiexec.exe
Token: SeChangeNotifyPrivilege	4992	msiexec.exe
Token: SeRemoteShutdownPrivilege	4992	msiexec.exe
Token: SeUndockPrivilege	4992	msiexec.exe
Token: SeSyncAgentPrivilege	4992	msiexec.exe
Token: SeEnableDelegationPrivilege	4992	msiexec.exe
Token: SeManageVolumePrivilege	4992	msiexec.exe
Token: SeImpersonatePrivilege	4992	msiexec.exe
Token: SeCreateGlobalPrivilege	4992	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4992	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c532f2594.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BA2D7E1E77384EF6B48F583C7ACFF77C
  2⤵
  PID:944
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\windbg.exe"
    3⤵
    PID:60
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      PID:392
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files.cab

Filesize
301KB

MD5
a6df3d12beca908b9bfe316a6869030c

SHA1
83d698052e1ca354a5411177573cba191a432d8c

SHA256
3b336360708c0ab1b92d544064d0a97b06be4c718c97b2fe6869b2d31458576f

SHA512
e5601b6386221049cde2a15b8201915604667f05da977b7e4d0e1874c2d64f5fd4a6abfa123a2b352540c98a6acb7c4b8e8056be0b860ace6da4ac0dcba5cf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\00004-4001132497.png

Filesize
325KB

MD5
0ac0cf8fcb8c542d91ec1c2572499b97

SHA1
8de2952f5e29dc008787f21fa6660281ecbe27ef

SHA256
d5a7248857f4724cae8e369a518cdd7de845e52b4114360be741c55125acf26d

SHA512
c33123e2f45a4c01fd0b5c7b913124c321b178e09803acdf2f9ee67d0c6c115bf851ac396df9f3f5b15524d422893e9614c94a96493e460b2e132d492b3c240e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\00005-3546315028.png

Filesize
135KB

MD5
27f987daee1b34fee994a2e4d4813ab0

SHA1
441ed0609d4e286a3014eea184542b80eb85e5dc

SHA256
59623dc1538545035f3af63381ecf03bc6fbe39a108cbb2d28b1c7fb94f3286b

SHA512
74f6bf82adb718d7fc9343144a7270e409afacbb76c91f66abe6db914a9153bc43c309c2a67b0596ac22b1d5b29e483636a95c54a985f1a53e3caa51aac59561

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\00006-3546315029.png

Filesize
305KB

MD5
1145025c29a94854a33d0788f6e4932a

SHA1
db6f8a560cc40cc4ba304882e0a900d5b89224e4

SHA256
7fea133757dfb3b5df6d6fee738d0a0fdd8f83f3cae2c7544e4755604bb83fcc

SHA512
178439eedc8a1cb283911600a30c875b1e234f087e6078451d774c97ac10074e9a3dc1d045e697c21b2aecf176f574c4b67e72fd9eba6a0f3a3ee515c0af2c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\00007-3546315030.png

Filesize
357KB

MD5
9f0df0afcec65fe989cc7adfba807a11

SHA1
c641776330b048dc1ba6f5e442cd59fc4dd48399

SHA256
bd55fc0804a6739ef7f94308386a90e82556c688c1ea712c50d65752c33ba81e

SHA512
144dc9b11316c0ce39419b101fbecaadac809ce3534621788a0f676aef193d1a35f03ea0c94b1a7cf2bfdc6d4ff33a40fa411a9dfc9d20505e0211acb2111211

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\data.bin

Filesize
92KB

MD5
472526a8c742a25296b345509638c863

SHA1
345523ddcd3216cf060ce242071374614fc372a6

SHA256
5d7aace8eb61d1fb4553069d8501100d64abb9968b1f20f84f3d23c71dab1366

SHA512
8ab00a37557e6e92476a85ae8e5f71fa1a84e54a0e60e5f75eb553d12e145b17fd4b82b81cf2610435976c828f29865df41c4cddc2224e55dfa0edf7375f67f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\data2.bin

Filesize
335KB

MD5
af8c22fa6cd32fa85269e79202f654c7

SHA1
655334749ae2f853ce4e4a5df3c9b2e676c7acb6

SHA256
83f03535e4d0eb502f4e5f8d06d3ca7ceeeaa7c6ec1d38e76d7553ca3276b3bb

SHA512
d4992e346502248e0b3ffcd841b15a45ddbf621595e8857a7c50b8fa25c5b89c14a3db78f0c1c865b62b15e5aee640fe140a6631c63a854f22d0a04d8c02a756

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\dbgeng.dll

Filesize
291KB

MD5
417f0f3a5148e3a336c741bda16396af

SHA1
a003e6830d0bcabdddee4ef6e400340e4f94ec5a

SHA256
cfa3b7a66c92859dc58e052af1f051d57aad4e631cbd4ec1d8c159b3420476be

SHA512
746c58de3448765bc7e529146953387905cea281c1cf92aa3642701b8863f00b5e12ce5112cdf3a4988ffff4302413e3df19566bd96c938ee4f7a1f2d08e579f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\dbgeng.dll

Filesize
180KB

MD5
f500128ae2d2d733e46cf3625b27038b

SHA1
30ee1f09fd79524bc8cbad867e8e26cb055a3e3f

SHA256
f16eb1d77beab44073d9ee5dc4b18b13ed4e73ea543ae8f67c2bcb15e077a718

SHA512
916fe382d36f75ad5b736dc29e05cc96be0b6082052fd3219c2f2ccada9d05afc229f17c767e0a6f6ae69ca64e0219782420573052f7b41367bbd4c446f0f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\windbg.exe

Filesize
406KB

MD5
b343df9c1bbc4e63dbb683e382aae135

SHA1
ceae09a984e8396f49eb307c82632828890c3f0a

SHA256
56f6ece099e45539302a196ca557c2c3ec4f96f9b07ddc9589cca81993ca957f

SHA512
7c1ba016f3ea44e3a7cc22718d7ed2f1364caf4f39bbb033446f57a8a59e67a0735e470864a8b3f9d24f67acd164bdb50b8765082b422373d3f9ade14fd558c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\files\windbg.exe

Filesize
307KB

MD5
53c036dff1c44e5f8730b143d4abf243

SHA1
73ec51e667993f392d7552179464f2bbb958dd44

SHA256
6e49a841695fbb67fc74f18adf15b598ef20b53d2ece2e15d368dfccfa299c80

SHA512
4f9557012ff170efea1aab124a4923edb277b36cbe7c3517b5e0f916ee278b5b9093eba774bfd4d4c4404e0860a540fe5cea36a2844b898555a31663dd9c0c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\msiwrapper.ini

Filesize
1KB

MD5
ec43b0a059f4fd5c34936c19d5ff5468

SHA1
c77210b98573c7b918f5d687de6516dcea542686

SHA256
dd39223d9f6b35ef3d0e12666d68715483f6c930dbe473249a30e5d9e94a3da7

SHA512
6dd067caea15068b97688183b48a70b5b2d50a1b907fc88f5423a1c09427e0df6e730890991e9926873211004494dd9fd0b152b7e56d6d8ddde472e0b2fdb309

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-137f9ab3-446d-4eeb-8aa9-8977d8efbf96\msiwrapper.ini

Filesize
1KB

MD5
e01bcd9f3407106ae4458929a2c5c214

SHA1
51d4353fe4ed52a547db7542019f82636650e8d5

SHA256
2fa8d459b429fe815a58fe39a3f24440dc79ef4acb84346c1662bf4df23581a1

SHA512
4aea924e2d595af0d3b19390933cc19dc5734527c27abfbbd43e619641f87a4ae7fd2fae965fbf5e12f4b879027b82b97995a6af89f7322175fe555803ca6062

Download Submit
C:\Windows\Installer\MSI73E8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
314KB

MD5
53032bb7abe3a1e8aee11f1bd80afa1d

SHA1
f67afdb00f9084a542b1e59f1674b848a1b57beb

SHA256
d4672c44a7534f247de92c5d5a291d125b3f429fdeed90e0206bff3deaf5bf66

SHA512
ba435493138510b3ccd038356aab033db8b9f1b1a6dd3ba6dca3b1c568306cb47945f0f6cdb8c1786183c4493b11a6d4038804845f6c6c64a4045f71856d9706

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
196KB

MD5
f53afac8a2e2b4760cb133a3eca71d88

SHA1
389981203a0aadeb2b2ac8a2c72fd82f84d9628d

SHA256
5dc9164c5f5125f5f032ff5cf04bbf742d88a28d4f71e02193ec64d80caf6831

SHA512
a4ce44691c1f2d9283d6ef81e45a84c865b09703af60929a575d6dbf31ede172da52a5ed0250c91365b925399101f5e6c51ec8d3f580f262429b4c0508f2b0ac

Download Submit
\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{10f0a614-980c-4d40-95f7-a6c4cd81e71f}_OnDiskSnapshotProp

Filesize
1KB

MD5
74098a42df098b2ee521b2fbd853d40e

SHA1
37902de891411be56ab7a175c4565ae9b93b11a4

SHA256
9c75d6ccb35eee1d628771309bf3029d8bab1862a815a4d2309d6352aa3e09f2

SHA512
0e962636ff2f7236281814d0c9d76b9feb89d2859d33630fd53a977a7f91e767f1c64ababa7f4d501a85533e51bdf8d48ad5eb7bcaf2de92886bdf1a2ed755bc

Download Submit
\??\c:\tmpa\script.au3

Filesize
356KB

MD5
b3161f3fae0dc64cdb05896f02cfa15f

SHA1
92dbb8a8ec35768d2a866b05753371803cf533ee

SHA256
c694b06fedc7d67379cd1bcd97605f8255e4ccc2e45cc42e3823eb9e5aaa8618

SHA512
acbfae0ae29e0fa02785b17e1f9c626b91cc88997b3db84f330ce9972d6d0da62b1a387795ab806818bb616e5bcbec323e1451d5c6f00a33a35f84c1e6e44844

Download Submit
memory/60-93-0x0000000002EA0000-0x0000000002F2A000-memory.dmp

Filesize
552KB

Download
memory/60-98-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/60-99-0x0000000002EA0000-0x0000000002F2A000-memory.dmp

Filesize
552KB

Download
memory/392-107-0x0000000003CE0000-0x0000000003DE0000-memory.dmp

Filesize
1024KB

Download
memory/392-108-0x00000000043D0000-0x0000000004565000-memory.dmp

Filesize
1.6MB

Download