Overview

overview

10

Static

static

1

new_13.txt

windows10-1703-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    265s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-03-2024 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new_13.txt

  • Size

    599B

  • MD5

    33186abd8e55b840e1f42e67f98bfb61

  • SHA1

    94c7819749e116bcf96303783e08d73ee6160a19

  • SHA256

    c96eb2b8f524b2be4e1801445e7f5e542d34cd7033482560712b12d76ea69da9

  • SHA512

    5e375d29e01d84b96c2335dc90b198a9a6902d580e4b8a353ae42d5068454d161f5f85eda787e9efe8b793811660403accf8899b19681bb1683c959c3afd0ec0

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

goingupdate.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kQwvJqoB

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 57 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\new_13.txt
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Opens file in notepad (likely ransom note)
    • Suspicious use of SetWindowsHookEx
    PID:3756
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\abc.ps1'"
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\klhd\AutoHotkey.exe
      "C:\klhd\AutoHotkey.exe" C:/klhd/script.ahk
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:2868
    • C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/klhd/
      2⤵
      • Views/modifies file attributes
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hfxtmwl.4hs.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\Desktop\abc.ps1
    Filesize

    599B

    MD5

    33186abd8e55b840e1f42e67f98bfb61

    SHA1

    94c7819749e116bcf96303783e08d73ee6160a19

    SHA256

    c96eb2b8f524b2be4e1801445e7f5e542d34cd7033482560712b12d76ea69da9

    SHA512

    5e375d29e01d84b96c2335dc90b198a9a6902d580e4b8a353ae42d5068454d161f5f85eda787e9efe8b793811660403accf8899b19681bb1683c959c3afd0ec0

    Download Submit

  • C:\klhd\AutoHotkey.exe
    Filesize

    892KB

    MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

    SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

    SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

    SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

    Download Submit

  • C:\klhd\script.ahk
    Filesize

    52KB

    MD5

    c7bdf27e38f75176a9ebe95619baec8b

    SHA1

    4e34dcbbc26131074d1ef7781ceb30c372e7dfba

    SHA256

    08582b9739946102389b18af358c9390bbf14266ae92919f0dae1988dca9f2cd

    SHA512

    4bca6524be6f5b4a8e4d2bab211c5600acc8f5c1dce20a11a13ba7bfb41737c109674f417f862efe33f9136d31360296951c32ae4f024bacf1df0f62ad7e5040

    Download Submit

  • C:\klhd\test.txt
    Filesize

    914KB

    MD5

    073321722c6c5f6c36f1ab464fbf004a

    SHA1

    633b351bdd3bd0d45861dae846fdd02c5808addf

    SHA256

    4544f3d199298653cf630c1bc15a564f2492bb51a77d5a156ca8625142f4e483

    SHA512

    751a33a24d22adcc10ede5c8bd546143214096dd10f8af8a8f3949983339459566044273f44668ea05dccb09718d023447ca5059f7d2d47a5c3cd1f5bb9d8555

    Download Submit

  • memory/2868-73-0x0000000003160000-0x00000000031D3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2868-71-0x0000000003160000-0x00000000031D3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3980-13-0x00000268F44B0000-0x00000268F4526000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3980-41-0x00007FFF2D6C0000-0x00007FFF2E0AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3980-42-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-43-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-45-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-37-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-8-0x00007FFF2D6C0000-0x00007FFF2E0AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3980-10-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-70-0x00007FFF2D6C0000-0x00007FFF2E0AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3980-9-0x00000268F3FD0000-0x00000268F3FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-7-0x00000268F41A0000-0x00000268F41C2000-memory.dmp

    Filesize

    136KB

    Download