Overview

overview

10

Static

static

1

8b170beb34...a.xlsx

windows7-x64

1

8b170beb34...a.xlsx

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa.xlsx

  • Size

    60KB

  • Sample

    240312-1tstvadg38

  • MD5

    ac17fd450a0951be064e074ba95bb35a

  • SHA1

    d3fc019079761d0228f802f6d54314b093587c98

  • SHA256

    8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa

  • SHA512

    b8461a875edaa6e7a3e8c865f7c376d84303643d1a3c6a9bb8c165ed7c093bdbfa3208be3f70c7292ff1d4b2ebe69ac099dcfb6f1592f1ec6f217ee50932983d

  • SSDEEP

    1536:cIN5DGhJDl5eZ9l0ohOplRfzDrtw86RUtdP:cI3ChJR0vl0ohYlRfzD/6oF

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

adfhjadfbjadbfjkhad44jka.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    zpQpPwKm

  • minimum_disk

    50

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa.xlsx

    • Size

      60KB

    • MD5

      ac17fd450a0951be064e074ba95bb35a

    • SHA1

      d3fc019079761d0228f802f6d54314b093587c98

    • SHA256

      8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa

    • SHA512

      b8461a875edaa6e7a3e8c865f7c376d84303643d1a3c6a9bb8c165ed7c093bdbfa3208be3f70c7292ff1d4b2ebe69ac099dcfb6f1592f1ec6f217ee50932983d

    • SSDEEP

      1536:cIN5DGhJDl5eZ9l0ohOplRfzDrtw86RUtdP:cI3ChJR0vl0ohYlRfzD/6oF

    Score
    10/10
    darkgateadmin888stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.