Overview

overview

10

Static

static

1

fc6ab939f5...12.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

  • Size

    4.3MB

  • Sample

    240319-t5wasagf52

  • MD5

    b88352bde539f79207be209759505f02

  • SHA1

    8ede7ee0a43c4282b41687408ddc38a243ac4bfd

  • SHA256

    fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

  • SHA512

    104d4330c05e41d2039a0b61438565c88138ec9b2c55632ab0ec8eaf70840b095e1dd5bb5d55b65373099df80896632499ff5b3c85240d7a389824cb72268921

  • SSDEEP

    49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf

Score
10/10
darkgateadmin888discoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

stachmentsuprimeresult.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    veVumtze

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Extracted

Family

darkgate

Version

6.1.7

Botnet

admin888

C2

stachmentsuprimeresult.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    veVumtze

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

    • Size

      4.3MB

    • MD5

      b88352bde539f79207be209759505f02

    • SHA1

      8ede7ee0a43c4282b41687408ddc38a243ac4bfd

    • SHA256

      fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

    • SHA512

      104d4330c05e41d2039a0b61438565c88138ec9b2c55632ab0ec8eaf70840b095e1dd5bb5d55b65373099df80896632499ff5b3c85240d7a389824cb72268921

    • SSDEEP

      49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf

    Score
    10/10
    darkgateadmin888discoverypersistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Modifies file permissions

      discovery

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks