Overview

overview

10

Static

static

1

05022024_2...fu.hta

windows7-x64

3

05022024_2...fu.hta

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05022024_2211_fufu.hta

  • Size

    75KB

  • Sample

    240205-rhkveshef2

  • MD5

    a07c36f20a3b3a23a67121498568de52

  • SHA1

    e535ca98e7003dd977956b0b908fcbacd0e16665

  • SHA256

    afc48453e2b08d97ee3b4f7ec1d8cb4114a8f6d3ff587ce4b90f52d39d4041fb

  • SHA512

    3646899ece8e2016284bedff73ad2b5db91db8d9adc487ead622a4a332406ca7323ba9d431de1a49810d502f9bcd2944fbc5ea6aec459b62fd5bb266ee0c7b65

  • SSDEEP

    768:t7GFSdFRtWQtv4bfQiOoLbCKWNa3e40gzNU+/unhi1zOz:hGFSdsQtv4pC9N74ZJUti5Oz

Score
10/10
darkgatepersistencestealer

Malware Config

Targets

    • Target

      05022024_2211_fufu.hta

    • Size

      75KB

    • MD5

      a07c36f20a3b3a23a67121498568de52

    • SHA1

      e535ca98e7003dd977956b0b908fcbacd0e16665

    • SHA256

      afc48453e2b08d97ee3b4f7ec1d8cb4114a8f6d3ff587ce4b90f52d39d4041fb

    • SHA512

      3646899ece8e2016284bedff73ad2b5db91db8d9adc487ead622a4a332406ca7323ba9d431de1a49810d502f9bcd2944fbc5ea6aec459b62fd5bb266ee0c7b65

    • SSDEEP

      768:t7GFSdFRtWQtv4bfQiOoLbCKWNa3e40gzNU+/unhi1zOz:hGFSdsQtv4pC9N74ZJUti5Oz

    Score
    10/10
    darkgatepersistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks