Overview

overview

10

Static

static

10

cccdbbb.exe

windows7-x64

10

cccdbbb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2024, 09:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cccdbbb.exe

  • Size

    405KB

  • MD5

    52fc04a1017bff949d2531942491e7d9

  • SHA1

    0f23ac4f5dc0603894374026349d7db0f870ee91

  • SHA256

    c36f35e271e0e7c345ca701c782605a2f899aa6f30f13d06ab7541244c8a8229

  • SHA512

    920905dc5d7c25daf2ba38daeeeab8ffe883023905ecb166f585346b012caeb3629e12400ca0df4c24e23d2abdea8081f7272d3b1385121ffc301f2982a10c85

  • SSDEEP

    12288:0UEpOEWzuYzy/Bda9AlxhwcySTcth/4N:0fOEWjyZda9uhwlSIf4

Score
10/10
darkgatecivilian1337stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.4

Botnet

civilian1337

C2

http://185.130.227.202

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    false

  • anti_debug

    true

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    true

  • crypto_key

    VPsTDMdPronzYs

  • internal_mutex

    txtMut

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    civilian1337

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cccdbbb.exe
    "C:\Users\Admin\AppData\Local\Temp\cccdbbb.exe"
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2256
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1104

      Network

        No results found
      • 185.130.227.202:2351
        cccdbbb.exe
        104 B
         2
      • 185.130.227.202:8080
        cccdbbb.exe
        104 B
         2
      No results found

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2256-3-0x0000000000400000-0x0000000000465000-memory.dmp

        Filesize

        404KB

        Download

      • memory/2256-5-0x0000000000400000-0x0000000000465000-memory.dmp

        Filesize

        404KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.