General

  • Target

    TaxForm.lnk

  • Size

    1KB

  • Sample

    240202-ybyahadhb8

  • MD5

    6286895f855df2e0577a8de4c7d083bd

  • SHA1

    b963d63927e491e9297ca56d737dda5b24aeb929

  • SHA256

    dd02646e2bfae250696acb1f911f8feac56e3223c11aa26ebf2e77700c0477f4

  • SHA512

    4648ffca2f148611d50e23bfde904f330a9aa966350c8a9f4648b419444edcb4d459abf9306410491766f2ba21d334afe2446ee5e6402a5ddf71d3b04f543955

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://45.153.243.208/a58

Targets

    • Target

      TaxForm.lnk

    • Size

      1KB

    • MD5

      6286895f855df2e0577a8de4c7d083bd

    • SHA1

      b963d63927e491e9297ca56d737dda5b24aeb929

    • SHA256

      dd02646e2bfae250696acb1f911f8feac56e3223c11aa26ebf2e77700c0477f4

    • SHA512

      4648ffca2f148611d50e23bfde904f330a9aa966350c8a9f4648b419444edcb4d459abf9306410491766f2ba21d334afe2446ee5e6402a5ddf71d3b04f543955

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks