darkgate | 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4

General

Target

8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe
Size

4.2MB
MD5

74019cf8562c516c372e09ce02de7355
SHA1

3ce6f711cd1ad954b96cb98055a3a40dae8c9a65
SHA256

8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
SHA512

7b41d9a1387ebdded1833a655166ffb2cd43b0eb490c5899bf72355a5e2e371b2d0be2231c5252b8fb2a569c92884e8a3391163207fdcb74e66edebcf5cfc771
SSDEEP

49152:1qCI3jRuBrxpU4hEZ/qCOyHcRdzFqivZaFChW7ZapGC8FXw+aPwEFtS5/BEc74fu:8CSsrxpU4hE1qCOeNiTGC89aZS2L

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

afdhf198jfadafdkfad.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
lrDcZuOq
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2128-13-0x0000000003640000-0x0000000004610000-memory.dmp	family_darkgate_v6
behavioral1/memory/2128-14-0x0000000004B00000-0x0000000004E4F000-memory.dmp	family_darkgate_v6
behavioral1/memory/2128-15-0x0000000004B00000-0x0000000004E4F000-memory.dmp	family_darkgate_v6

Executes dropped EXE 1 IoCs

Processes:

Autoit3.exe

pid process

2128 Autoit3.exe
Loads dropped DLL 1 IoCs

Processes:

8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe

pid process

1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe

pid	process
2128	Autoit3.exe

pid	process
1152	8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe

description	pid	process	target process
PID 1152 wrote to memory of 2128	1152	8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe	Autoit3.exe
PID 1152 wrote to memory of 2128	1152	8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe	Autoit3.exe
PID 1152 wrote to memory of 2128	1152	8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe	Autoit3.exe
PID 1152 wrote to memory of 2128	1152	8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe	Autoit3.exe

C:\Users\Admin\AppData\Local\Temp\8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe
"C:\Users\Admin\AppData\Local\Temp\8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

\??\c:\temp\Autoit3.exe
"c:\temp\Autoit3.exe" c:\temp\script.a3x
2⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2128

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp\Autoit3.exe
Filesize
244KB

MD5
e85a0afcf02e5fdb0b596257430a3d80

SHA1
732f480e97e26644a8d6292e8c217b67e18db739

SHA256
3e4238a4c01e826093404f70f877ab52ccded859481b5b9c4069001c5fed2cac

SHA512
7eb6211a52feaec21db18432da3c6c7db96153123b4cd1afaf319571f20f48bf390b71201b48b962020b8739a494e44b9c289f9fc16077c248e2714f79198f02

Download Submit
\??\c:\temp\script.a3x
Filesize
468KB

MD5
b285a2a2da41e02edd0e090cf3900db0

SHA1
caae12d166fa20fcb5aba44947b379f370d47ec4

SHA256
dbb900ab8d921e3faccd6bb827353683e80be4e4ae530488bc90559251e85c2d

SHA512
1b6624c1af8b0889acbf1eb0abdfb148c04afeb025ac9a21173334f781692dcead0d3fff79e2f156c016b2700aaa4063bb92daec43e1638be9c76f443d37b60c

Download Submit
\??\c:\temp\test.txt
Filesize
76B

MD5
f9c268806eadf724fe06c8485ab592b5

SHA1
b462ca6d6639f0d44cb7fa02a69de2f327f9e1d6

SHA256
4be8f8d0446ecf4d3213ab354e15591428576531acf5af60f6f07e770944bcdd

SHA512
c6bdd408aa3c1a77917dd0f11404cadd8e8f67aea79679ca54817932359e9cf905a5297c9aba945d7de04837fdbe531825d81aab266fd676d6eef2743ac17a33

Download Submit
\temp\Autoit3.exe
Filesize
531KB

MD5
90fff7729994ccb4f2bff8b46a859030

SHA1
b2ce1c345de92481a93180e441950baf8ae32f81

SHA256
e82d75d3ab1efca9b2c19794b917ad1a5595a9cf84c1449ab050adc81ff0023f

SHA512
f1c94434915eb80a3f44c8d62b84b18be35ac5630aefb663e89941710621c6506b16517609a31a5b793a515f03d2cadae5dad62f310117f3d0c99dde9f8ab0d9

Download Submit
memory/1152-2-0x0000000002610000-0x000000000276F000-memory.dmp

Filesize
1.4MB

Download
memory/1152-9-0x0000000002610000-0x000000000276F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-13-0x0000000003640000-0x0000000004610000-memory.dmp

Filesize
15.8MB

Download
memory/2128-14-0x0000000004B00000-0x0000000004E4F000-memory.dmp

Filesize
3.3MB

Download
memory/2128-15-0x0000000004B00000-0x0000000004E4F000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads