Overview

overview

10

Static

static

1

ACH-5634-15March.xlsx

windows10-1703-x64

10

ACH-5634-15March.xlsx

windows10-2004-x64

10

ACH-5634-15March.xlsx

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ACH-5634-15March.xlsx

  • Size

    48KB

  • Sample

    240315-yhq5rshe9w

  • MD5

    ee31ad80a97f3f17db35d8add92e3396

  • SHA1

    16bcf433568390b8ca3d2190eac5a66d4828aab9

  • SHA256

    79ebb9f1d447cc3aa7a757366b3deec702d0659209059800b9f553adb45e6161

  • SHA512

    2df8814928f5f0983f54694db1bb2337e15990fb2d90438b99763844e763009a7ff65c0fbe9491aea5e3dda458aaf60ef909bc3b74d2798aee02dabdbc7268cb

  • SSDEEP

    768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/r:tLq94YV7JMxXyd4x+gzexTj

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

diveupdown.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    VfiPBBhr

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      ACH-5634-15March.xlsx

    • Size

      48KB

    • MD5

      ee31ad80a97f3f17db35d8add92e3396

    • SHA1

      16bcf433568390b8ca3d2190eac5a66d4828aab9

    • SHA256

      79ebb9f1d447cc3aa7a757366b3deec702d0659209059800b9f553adb45e6161

    • SHA512

      2df8814928f5f0983f54694db1bb2337e15990fb2d90438b99763844e763009a7ff65c0fbe9491aea5e3dda458aaf60ef909bc3b74d2798aee02dabdbc7268cb

    • SSDEEP

      768:ZFlppbq6i4Y/TJC4xJMxXcvFLwAPq4Sxv9PvEgzegYN1T/r:tLq94YV7JMxXyd4x+gzexTj

    Score
    10/10
    darkgateadmin888stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks