Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 16:24
Behavioral task
behavioral1
Sample
0.jpg.exe
Resource
win7-20240221-en
General
-
Target
0.jpg.exe
-
Size
4.2MB
-
MD5
74019cf8562c516c372e09ce02de7355
-
SHA1
3ce6f711cd1ad954b96cb98055a3a40dae8c9a65
-
SHA256
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
-
SHA512
7b41d9a1387ebdded1833a655166ffb2cd43b0eb490c5899bf72355a5e2e371b2d0be2231c5252b8fb2a569c92884e8a3391163207fdcb74e66edebcf5cfc771
-
SSDEEP
49152:1qCI3jRuBrxpU4hEZ/qCOyHcRdzFqivZaFChW7ZapGC8FXw+aPwEFtS5/BEc74fu:8CSsrxpU4hE1qCOeNiTGC89aZS2L
Malware Config
Extracted
darkgate
admin888
afdhf198jfadafdkfad.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
lrDcZuOq
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-13-0x00000000036F0000-0x00000000046C0000-memory.dmp family_darkgate_v6 behavioral1/memory/3028-14-0x0000000004B70000-0x0000000004EBF000-memory.dmp family_darkgate_v6 behavioral1/memory/3028-15-0x0000000004B70000-0x0000000004EBF000-memory.dmp family_darkgate_v6 -
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 3028 Autoit3.exe -
Loads dropped DLL 1 IoCs
Processes:
0.jpg.exepid process 1284 0.jpg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0.jpg.exedescription pid process target process PID 1284 wrote to memory of 3028 1284 0.jpg.exe Autoit3.exe PID 1284 wrote to memory of 3028 1284 0.jpg.exe Autoit3.exe PID 1284 wrote to memory of 3028 1284 0.jpg.exe Autoit3.exe PID 1284 wrote to memory of 3028 1284 0.jpg.exe Autoit3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.jpg.exe"C:\Users\Admin\AppData\Local\Temp\0.jpg.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x2⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\temp\Autoit3.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\??\c:\temp\script.a3xFilesize
468KB
MD5b285a2a2da41e02edd0e090cf3900db0
SHA1caae12d166fa20fcb5aba44947b379f370d47ec4
SHA256dbb900ab8d921e3faccd6bb827353683e80be4e4ae530488bc90559251e85c2d
SHA5121b6624c1af8b0889acbf1eb0abdfb148c04afeb025ac9a21173334f781692dcead0d3fff79e2f156c016b2700aaa4063bb92daec43e1638be9c76f443d37b60c
-
\??\c:\temp\test.txtFilesize
76B
MD5f9c268806eadf724fe06c8485ab592b5
SHA1b462ca6d6639f0d44cb7fa02a69de2f327f9e1d6
SHA2564be8f8d0446ecf4d3213ab354e15591428576531acf5af60f6f07e770944bcdd
SHA512c6bdd408aa3c1a77917dd0f11404cadd8e8f67aea79679ca54817932359e9cf905a5297c9aba945d7de04837fdbe531825d81aab266fd676d6eef2743ac17a33
-
\temp\Autoit3.exeFilesize
704KB
MD59acc4c8a133e28df5f1dabb3c7554cbe
SHA10f911bdef50d15922bd603feae8344efbfea2851
SHA256ab5e6b09b61459f2d82d09d1c62abe4f07a0c6624214dc46191b02415330c202
SHA5127716bc68e70fade5877e04674326c9b0b561463772da7f48949b6c555f1091aa4edaf7886d05de3f976c3dcb95d4a8795c3ba181553b8248555691417addfe45
-
memory/1284-2-0x00000000026F0000-0x000000000284F000-memory.dmpFilesize
1.4MB
-
memory/1284-8-0x00000000026F0000-0x000000000284F000-memory.dmpFilesize
1.4MB
-
memory/3028-13-0x00000000036F0000-0x00000000046C0000-memory.dmpFilesize
15.8MB
-
memory/3028-14-0x0000000004B70000-0x0000000004EBF000-memory.dmpFilesize
3.3MB
-
memory/3028-15-0x0000000004B70000-0x0000000004EBF000-memory.dmpFilesize
3.3MB