darkgate | e06efa3ff72da4a73045d31e888e001041a0e9058266d893fda525a90ab4e94c

General

Target

06032024_0006_setup.js
Size

32KB
MD5

91129aacf3e4d87a776ca1ee9e358eb2
SHA1

3e66e0e3eb6d17055ca1acca942c592141ad8261
SHA256

e06efa3ff72da4a73045d31e888e001041a0e9058266d893fda525a90ab4e94c
SHA512

975f722719311ebf1a6bee5f17b14e131bd613e955b2bee17401c5af864d08a68240748af08ccb9da957fe2565972339baade1534d0ad018e7a266ce469f0f34
SSDEEP

768:rnJRkBVRaR9z6kNyRoRmG6o463cR4RenBRk6ORJRuRzRlnJRkBVRaR9z6kNyRoRx:rnJRkBVRaR9z6kNyRoRmG6o463cR4ReL

Score

10^/10

darkgate admin888 dave stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

afdhf198jfadafdkfad.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
lrDcZuOq
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2596-34-0x00000000037A0000-0x0000000004770000-memory.dmp	family_darkgate_v6
behavioral1/memory/2596-35-0x0000000004C20000-0x0000000004F6F000-memory.dmp	family_darkgate_v6
behavioral1/memory/2596-36-0x0000000004C20000-0x0000000004F6F000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

4 1976 wscript.exe
7 1976 wscript.exe
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
dave

Processes:

resource yara_rule

C:\Users\Public\d0.exe dave
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

d0.exeAutoit3.exe

pid process

2688 d0.exe
2596 Autoit3.exe
Loads dropped DLL 1 IoCs

Processes:

d0.exe

pid process

2688 d0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	1976	wscript.exe
7	1976	wscript.exe

resource	yara_rule
C:\Users\Public\d0.exe	dave

pid	process
2688	d0.exe
2596	Autoit3.exe

pid	process
2688	d0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wscript.exed0.exe

description	pid	process	target process
PID 1976 wrote to memory of 2688	1976	wscript.exe	d0.exe
PID 1976 wrote to memory of 2688	1976	wscript.exe	d0.exe
PID 1976 wrote to memory of 2688	1976	wscript.exe	d0.exe
PID 1976 wrote to memory of 2688	1976	wscript.exe	d0.exe
PID 2688 wrote to memory of 2596	2688	d0.exe	Autoit3.exe
PID 2688 wrote to memory of 2596	2688	d0.exe	Autoit3.exe
PID 2688 wrote to memory of 2596	2688	d0.exe	Autoit3.exe
PID 2688 wrote to memory of 2596	2688	d0.exe	Autoit3.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06032024_0006_setup.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1976

C:\users\public\d0.exe
"C:\users\public\d0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

\??\c:\temp\Autoit3.exe
"c:\temp\Autoit3.exe" c:\temp\script.a3x
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\d0.exe
Filesize
4.2MB

MD5
74019cf8562c516c372e09ce02de7355

SHA1
3ce6f711cd1ad954b96cb98055a3a40dae8c9a65

SHA256
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4

SHA512
7b41d9a1387ebdded1833a655166ffb2cd43b0eb490c5899bf72355a5e2e371b2d0be2231c5252b8fb2a569c92884e8a3391163207fdcb74e66edebcf5cfc771

Download Submit
\??\c:\temp\script.a3x
Filesize
468KB

MD5
b285a2a2da41e02edd0e090cf3900db0

SHA1
caae12d166fa20fcb5aba44947b379f370d47ec4

SHA256
dbb900ab8d921e3faccd6bb827353683e80be4e4ae530488bc90559251e85c2d

SHA512
1b6624c1af8b0889acbf1eb0abdfb148c04afeb025ac9a21173334f781692dcead0d3fff79e2f156c016b2700aaa4063bb92daec43e1638be9c76f443d37b60c

Download Submit
\??\c:\temp\test.txt
Filesize
76B

MD5
f9c268806eadf724fe06c8485ab592b5

SHA1
b462ca6d6639f0d44cb7fa02a69de2f327f9e1d6

SHA256
4be8f8d0446ecf4d3213ab354e15591428576531acf5af60f6f07e770944bcdd

SHA512
c6bdd408aa3c1a77917dd0f11404cadd8e8f67aea79679ca54817932359e9cf905a5297c9aba945d7de04837fdbe531825d81aab266fd676d6eef2743ac17a33

Download Submit
\temp\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2596-34-0x00000000037A0000-0x0000000004770000-memory.dmp

Filesize
15.8MB

Download
memory/2596-35-0x0000000004C20000-0x0000000004F6F000-memory.dmp

Filesize
3.3MB

Download
memory/2596-36-0x0000000004C20000-0x0000000004F6F000-memory.dmp

Filesize
3.3MB

Download
memory/2688-22-0x0000000002690000-0x00000000027EF000-memory.dmp

Filesize
1.4MB

Download
memory/2688-29-0x0000000002690000-0x00000000027EF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads