darkgate | 1a24b6b486f72b19c316fbb8663be1f600ad5d55702b9b37ce84c7a8ab365aab

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Run-AU3-1.bat
Size

22B
MD5

71d34148ef4052925a42484a816eb7ae
SHA1

b444253415625a894a9f14d99f9a3be9a80636c8
SHA256

51d06ed73d4cf122db1ad36dcd5d0e339c2d3c1a463d77afe313d456ec3f273b
SHA512

b71353a72f8e92830c9c51d71b43d112e5e77b3c1a99a0fa4a162ce23c71ca682f34e0a2055c599689a80299337b07e56dbf2105a9c4c4bf4ac1e2d8015c37a8

Score

10^/10

darkgate stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/2332-3-0x0000000006870000-0x0000000006BBE000-memory.dmp	family_darkgate_v6
behavioral2/memory/2332-4-0x0000000006870000-0x0000000006BBE000-memory.dmp	family_darkgate_v6

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2332	924	cmd.exe	85
PID 924 wrote to memory of 2332	924	cmd.exe	85
PID 924 wrote to memory of 2332	924	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Run-AU3-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
  Autoit3.exe script.au3
  2⤵
  - Checks processor information in registry
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-1-0x0000000005110000-0x00000000060E0000-memory.dmp

Filesize
15.8MB

Download
memory/2332-3-0x0000000006870000-0x0000000006BBE000-memory.dmp

Filesize
3.3MB

Download
memory/2332-4-0x0000000006870000-0x0000000006BBE000-memory.dmp

Filesize
3.3MB

Download