darkgate

Resubmissions

15-03-2024 02:46

240315-c9qgnagg39 10

15-03-2024 02:45

240315-c849esgg29 1

14-03-2024 17:53

240314-wgkkgsaf8s 1

14-03-2024 17:45

240314-wb7stsae5w 10

Sharing

Copy URL

Twitter E-mail

General

Target

c3fdd6f03be7f1414ab4175d512aa354-sample.zip
Size

52KB
Sample

240314-wb7stsae5w
MD5

aad545e706e4a656ce276d377a4698fb
SHA1

8cefd9ab236021f5c41c0b121ebfca8e7b53ef23
SHA256

baab40c7c1acabafaee78664e9e59f3b7a6081342862ebd2b126b2bee3aa967f
SHA512

00f6eb38614bcfb7bf7a1f6a6da84685c88263f0dc81cdd033e4248563e20f3fbbb35e1b28d778f8e06ec8b5e0f51c410c5c1882932fa3385c6d901d9f2f8df5
SSDEEP

768:l9q3MbGlNM8BM4c3+Fql59BIf6/qOlOtWRX/DGiTvcxmJNG+G+FQ5v3Hj:acbWNFBM4rFqlpJqOjxTnJdG+FQ5PD

Score

10^/10

Malware Config

Extracted

Family

darkgate

Botnet

admin888

nextroundst.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
TuqohTUI
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Targets

- Target
  
  march-D9445-2024.xlsx
- Size
  
  60KB
- MD5
  
  ac89528d1040074d45d5c19a0ceb7a6a
- SHA1
  
  8b47dba91232a0e1ac14cee24267e9c26d7e483c
- SHA256
  
  1d67808fee7115fa2597e8843aa10f737298c9f097397e5de486fc762753ea0b
- SHA512
  
  37da11cea5188cc7b7f6c9154410d9d663d5ed306313badbaa421025c49f90bff177613a132d2bff1b529ec214d9eb034937ab8d7830d30bd4451f1579a27feb
- SSDEEP
  
  1536:64N5DGhJDl5eZ9l0ohOplRfzDrtw86RUtdkV:643ChJR0vl0ohYlRfzD/6o2
Score

10^/10

darkgate admin888 stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Detect DarkGate stealer

Process spawned unexpected child process

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2