darkgate | c36f35e271e0e7c345ca701c782605a2f899aa6f30f13d06ab7541244c8a8229

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cccdbbb.exe
Size

405KB
MD5

52fc04a1017bff949d2531942491e7d9
SHA1

0f23ac4f5dc0603894374026349d7db0f870ee91
SHA256

c36f35e271e0e7c345ca701c782605a2f899aa6f30f13d06ab7541244c8a8229
SHA512

920905dc5d7c25daf2ba38daeeeab8ffe883023905ecb166f585346b012caeb3629e12400ca0df4c24e23d2abdea8081f7272d3b1385121ffc301f2982a10c85
SSDEEP

12288:0UEpOEWzuYzy/Bda9AlxhwcySTcth/4N:0fOEWjyZda9uhwlSIf4

Score

10^/10

darkgate civilian1337 stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.4

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
true
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
VPsTDMdPronzYs
internal_mutex
txtMut
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 3620 created 2612	3620	cccdbbb.exe	27
PID 3620 created 2900	3620	cccdbbb.exe	70
PID 3620 created 2900	3620	cccdbbb.exe	70
PID 3620 created 4588	3620	cccdbbb.exe	56
PID 3620 created 4588	3620	cccdbbb.exe	56

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cccdbbb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cccdbbb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe
3620	cccdbbb.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2612

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4588

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\cccdbbb.exe
"C:\Users\Admin\AppData\Local\Temp\cccdbbb.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3620-3-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3620-4-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3620-6-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download