darkgate | 4644c5cfe036b53190d6f36a2d9e3067ea05622481092ab05b55e5754e89ba2e | Triage

Submit
Reports

Overview

overview

Static

static

1

05022024_2...he.hta

windows7-x64

6

05022024_2...he.hta

windows10-2004-x64

Sharing

General

Target

05022024_2208_chache.hta
Size

73KB
Sample

240205-rfekmabeap
MD5

26daad505b15a76a4ae1be76f9c77488
SHA1

70d2f0a9a4f51316f65ff8b895518c6fb824f4c7
SHA256

4644c5cfe036b53190d6f36a2d9e3067ea05622481092ab05b55e5754e89ba2e
SHA512

96e8cc6ea11bd22d9a3195f87c5d4e241e58a1c6fca2de4db1dab4a08d8cd4d4b7a9a51a7b478f16422c030cd675b7ab144015de8c87bcec03bc5c0568c26ffc
SSDEEP

768:kohVndK3EFiaID3u1cP/wTgdok7h/ZdmYu7aZD0fJgPKOjLxphC8U4u4EeUeEgFa:kobndK4IDeshU3gfALti5Oz

Score

10^/10

darkgate xiputin1 discovery execution stealer

Static task

static1

Behavioral task

behavioral1

Sample

05022024_2208_chache.hta

Resource

win7-20231215-en

discovery execution

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

05022024_2208_chache.hta

Resource

win10v2004-20231215-en

darkgate xiputin1 discovery execution stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

xiputin1

C2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
IXVIPUIJ
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin1

Extracted

Family

darkgate

Version

6.1.7

Botnet

xiputin1

C2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
IXVIPUIJ
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin1

Targets

- Target
  
  05022024_2208_chache.hta
- Size
  
  73KB
- MD5
  
  26daad505b15a76a4ae1be76f9c77488
- SHA1
  
  70d2f0a9a4f51316f65ff8b895518c6fb824f4c7
- SHA256
  
  4644c5cfe036b53190d6f36a2d9e3067ea05622481092ab05b55e5754e89ba2e
- SHA512
  
  96e8cc6ea11bd22d9a3195f87c5d4e241e58a1c6fca2de4db1dab4a08d8cd4d4b7a9a51a7b478f16422c030cd675b7ab144015de8c87bcec03bc5c0568c26ffc
- SSDEEP
  
  768:kohVndK3EFiaID3u1cP/wTgdok7h/ZdmYu7aZD0fJgPKOjLxphC8U4u4EeUeEgFa:kobndK4IDeshU3gfALti5Oz
Score

10^/10

discovery execution darkgate xiputin1 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Darkgate family
  darkgate
- Detect DarkGate stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

darkgatexiputin1discoveryexecutionstealer

© 2018-2025

Terms | Privacy