darkgate | e0a36182df70d6af3289ea7c430874b8281db531c767beab5131f6726f5635a2

Analysis

max time kernel
1149s
max time network
1161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apdproxy.exe
Size

62KB
MD5

fc9e59fe8bc4fe05382cff5c8fc59de1
SHA1

69423bc900644a910936d2c5828348d188e5d750
SHA256

a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3
SHA512

1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c
SSDEEP

768:oSGP0wWfldXbYnoHbzrzHKSi90hHVKIYl2PN+iTre/S/Mqnzh9SLiB+L8rhOFPC1:oSGPGSwPPH9Kq0qzXrElX

Score

10^/10

darkgate stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/3004-12-0x0000000005D80000-0x00000000060CE000-memory.dmp	family_darkgate_v6
behavioral2/memory/3004-14-0x0000000005D80000-0x00000000060CE000-memory.dmp	family_darkgate_v6

Executes dropped EXE 1 IoCs

pid	Process
3004	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3004	3924	apdproxy.exe	83
PID 3924 wrote to memory of 3004	3924	apdproxy.exe	83
PID 3924 wrote to memory of 3004	3924	apdproxy.exe	83

C:\Users\Admin\AppData\Local\Temp\apdproxy.exe
"C:\Users\Admin\AppData\Local\Temp\apdproxy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- \??\c:\temp\Autoit3.exe
  "c:\temp\Autoit3.exe" c:\temp\script.au3
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.au3

Filesize
910KB

MD5
5ae10e98b7f01a0433b18c66dd7ff7d3

SHA1
7043ab94fcd76c9a7afb91e2adae691358796eb5

SHA256
c83870e8f4884f6653ad7fe43d43e9ab8d6c8b3c295d10f1f1921acd8f1e42a8

SHA512
4c337d91ca76844dbebd186df0a165efea46a0234b8472f7b4fcc9c844917eb7a8449fc3e3e9006e8f5ad3e1df716d19f7dd212cfdf44268caaa3ea72f53aeb8

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
af2e30edcb89c0b9ca2bc4ccc519e5b0

SHA1
c93d528cd43890fef9841708a825b02133a07734

SHA256
f8b5bfd9bff557bcd6326949ad261e74edc463350a276fb080a250f76284de45

SHA512
4279afcf1f76d411b766e51ee207b8cb5dc5914c409359387b74ed0fc1f26db134592fdd4030b650e05d7fd7f7d5ffb4c0d5f3e67b548c224fa910b880db35d8

Download Submit
memory/3004-11-0x0000000004400000-0x00000000053D0000-memory.dmp

Filesize
15.8MB

Download
memory/3004-12-0x0000000005D80000-0x00000000060CE000-memory.dmp

Filesize
3.3MB

Download
memory/3004-14-0x0000000005D80000-0x00000000060CE000-memory.dmp

Filesize
3.3MB

Download
memory/3924-0-0x00000000026D0000-0x00000000028C3000-memory.dmp

Filesize
1.9MB

Download
memory/3924-6-0x0000000074ED0000-0x0000000074FC4000-memory.dmp

Filesize
976KB

Download
memory/3924-8-0x00000000026D0000-0x00000000028C3000-memory.dmp

Filesize
1.9MB

Download