Overview

overview

10

Static

static

3

apdproxy.exe

windows10-1703-x64

10

apdproxy.exe

windows10-2004-x64

10

apdproxy.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1033s
  • max time network
    1085s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-02-2024 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    apdproxy.exe

  • Size

    62KB

  • MD5

    fc9e59fe8bc4fe05382cff5c8fc59de1

  • SHA1

    69423bc900644a910936d2c5828348d188e5d750

  • SHA256

    a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

  • SHA512

    1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

  • SSDEEP

    768:oSGP0wWfldXbYnoHbzrzHKSi90hHVKIYl2PN+iTre/S/Mqnzh9SLiB+L8rhOFPC1:oSGPGSwPPH9Kq0qzXrElX

Score
10/10
darkgatestealer

Malware Config

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\apdproxy.exe
    "C:\Users\Admin\AppData\Local\Temp\apdproxy.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3400
    • \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\temp\Autoit3.exe
    Filesize

    750KB

    MD5

    efb78ee325457f8d650f86f34423b980

    SHA1

    8aa74c805b583ef6f860d6c5c8fad7a66bf407d0

    SHA256

    6b05cbbf501dbba481ac559d791651f81f4a1570a673b7f8a5dd2f6cd924d0f3

    SHA512

    c091e8dc2381899f1b5769ea38d533635f8efe9a7939786e1629f3300af28e806f4a8f3e4d87565201a3f08d77955d4b9df9e9517a70ed59e25329f8955fcc71

    Download Submit

  • \??\c:\temp\script.au3
    Filesize

    779KB

    MD5

    bff9a5793b91063161dc2bd3ad57f68e

    SHA1

    4da59fd3544277e1759ad77ce7d2876e87f1be9f

    SHA256

    676e1faa45991609720ea160ebedbb59a83a96bd94064ea43642ff608ff420ec

    SHA512

    bc7a0247c681ff78db0f9fd9dd409e0971524b54cf63a9e5e6ab408efb1e76e41fd0fb216c88c69967244a63b0fbe6e196999d6b6fb47642cde14f05315089a7

    Download Submit

  • \??\c:\temp\test.txt
    Filesize

    76B

    MD5

    af2e30edcb89c0b9ca2bc4ccc519e5b0

    SHA1

    c93d528cd43890fef9841708a825b02133a07734

    SHA256

    f8b5bfd9bff557bcd6326949ad261e74edc463350a276fb080a250f76284de45

    SHA512

    4279afcf1f76d411b766e51ee207b8cb5dc5914c409359387b74ed0fc1f26db134592fdd4030b650e05d7fd7f7d5ffb4c0d5f3e67b548c224fa910b880db35d8

    Download Submit

  • memory/308-11-0x00000000046A0000-0x0000000005670000-memory.dmp

    Filesize

    15.8MB

    Download

  • memory/308-12-0x0000000005F30000-0x000000000627E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/308-14-0x0000000005F30000-0x000000000627E000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3400-1-0x00000000025F0000-0x00000000027E3000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3400-8-0x00000000025F0000-0x00000000027E3000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3400-6-0x00000000746E0000-0x00000000747D4000-memory.dmp

    Filesize

    976KB

    Download