Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 02:28
Behavioral task
behavioral1
Sample
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe
Resource
win7-20240221-en
General
-
Target
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe
-
Size
4.2MB
-
MD5
74019cf8562c516c372e09ce02de7355
-
SHA1
3ce6f711cd1ad954b96cb98055a3a40dae8c9a65
-
SHA256
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4
-
SHA512
7b41d9a1387ebdded1833a655166ffb2cd43b0eb490c5899bf72355a5e2e371b2d0be2231c5252b8fb2a569c92884e8a3391163207fdcb74e66edebcf5cfc771
-
SSDEEP
49152:1qCI3jRuBrxpU4hEZ/qCOyHcRdzFqivZaFChW7ZapGC8FXw+aPwEFtS5/BEc74fu:8CSsrxpU4hE1qCOeNiTGC89aZS2L
Malware Config
Extracted
darkgate
admin888
afdhf198jfadafdkfad.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
lrDcZuOq
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Detect DarkGate stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2128-13-0x0000000003640000-0x0000000004610000-memory.dmp family_darkgate_v6 behavioral1/memory/2128-14-0x0000000004B00000-0x0000000004E4F000-memory.dmp family_darkgate_v6 behavioral1/memory/2128-15-0x0000000004B00000-0x0000000004E4F000-memory.dmp family_darkgate_v6 -
Executes dropped EXE 1 IoCs
Processes:
Autoit3.exepid process 2128 Autoit3.exe -
Loads dropped DLL 1 IoCs
Processes:
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exepid process 1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exedescription pid process target process PID 1152 wrote to memory of 2128 1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe Autoit3.exe PID 1152 wrote to memory of 2128 1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe Autoit3.exe PID 1152 wrote to memory of 2128 1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe Autoit3.exe PID 1152 wrote to memory of 2128 1152 8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe Autoit3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe"C:\Users\Admin\AppData\Local\Temp\8a2edeef9978d454882bfb233d9cd77505618b854f7899b27aeb095ff8ebb3f4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x2⤵
- Executes dropped EXE
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\temp\Autoit3.exeFilesize
244KB
MD5e85a0afcf02e5fdb0b596257430a3d80
SHA1732f480e97e26644a8d6292e8c217b67e18db739
SHA2563e4238a4c01e826093404f70f877ab52ccded859481b5b9c4069001c5fed2cac
SHA5127eb6211a52feaec21db18432da3c6c7db96153123b4cd1afaf319571f20f48bf390b71201b48b962020b8739a494e44b9c289f9fc16077c248e2714f79198f02
-
\??\c:\temp\script.a3xFilesize
468KB
MD5b285a2a2da41e02edd0e090cf3900db0
SHA1caae12d166fa20fcb5aba44947b379f370d47ec4
SHA256dbb900ab8d921e3faccd6bb827353683e80be4e4ae530488bc90559251e85c2d
SHA5121b6624c1af8b0889acbf1eb0abdfb148c04afeb025ac9a21173334f781692dcead0d3fff79e2f156c016b2700aaa4063bb92daec43e1638be9c76f443d37b60c
-
\??\c:\temp\test.txtFilesize
76B
MD5f9c268806eadf724fe06c8485ab592b5
SHA1b462ca6d6639f0d44cb7fa02a69de2f327f9e1d6
SHA2564be8f8d0446ecf4d3213ab354e15591428576531acf5af60f6f07e770944bcdd
SHA512c6bdd408aa3c1a77917dd0f11404cadd8e8f67aea79679ca54817932359e9cf905a5297c9aba945d7de04837fdbe531825d81aab266fd676d6eef2743ac17a33
-
\temp\Autoit3.exeFilesize
531KB
MD590fff7729994ccb4f2bff8b46a859030
SHA1b2ce1c345de92481a93180e441950baf8ae32f81
SHA256e82d75d3ab1efca9b2c19794b917ad1a5595a9cf84c1449ab050adc81ff0023f
SHA512f1c94434915eb80a3f44c8d62b84b18be35ac5630aefb663e89941710621c6506b16517609a31a5b793a515f03d2cadae5dad62f310117f3d0c99dde9f8ab0d9
-
memory/1152-2-0x0000000002610000-0x000000000276F000-memory.dmpFilesize
1.4MB
-
memory/1152-9-0x0000000002610000-0x000000000276F000-memory.dmpFilesize
1.4MB
-
memory/2128-13-0x0000000003640000-0x0000000004610000-memory.dmpFilesize
15.8MB
-
memory/2128-14-0x0000000004B00000-0x0000000004E4F000-memory.dmpFilesize
3.3MB
-
memory/2128-15-0x0000000004B00000-0x0000000004E4F000-memory.dmpFilesize
3.3MB