Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ACH-8503-15March.xlsx

  • Size

    48KB

  • Sample

    240315-tw4kssda4z

  • MD5

    f26561f2e03be889c91d12fdd4c2efaf

  • SHA1

    bc37513e228202b086bfa4a956c919eaf76b7223

  • SHA256

    4ae1c188272b686bf076356fc9bf3a1964201c5848609991412be5e02a99fdc9

  • SHA512

    5cc1c38a4ff5374aca259d6fb40aeac39ac4fe588d62a92c23eaa92e6c89d94830c95fbff145dbc6108e1e55b41cb38024beba8f0eb4d48360641ea4c8be46db

  • SSDEEP

    768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/N:tLq94YV7JMxXyd4x+gzexTl

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

diveupdown.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    VfiPBBhr

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      ACH-8503-15March.xlsx

    • Size

      48KB

    • MD5

      f26561f2e03be889c91d12fdd4c2efaf

    • SHA1

      bc37513e228202b086bfa4a956c919eaf76b7223

    • SHA256

      4ae1c188272b686bf076356fc9bf3a1964201c5848609991412be5e02a99fdc9

    • SHA512

      5cc1c38a4ff5374aca259d6fb40aeac39ac4fe588d62a92c23eaa92e6c89d94830c95fbff145dbc6108e1e55b41cb38024beba8f0eb4d48360641ea4c8be46db

    • SSDEEP

      768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/N:tLq94YV7JMxXyd4x+gzexTl

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks