darkgate | 0548b90912c147102750c6b6e84504fa8f37f7143c288131a6e00793646024bc

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#DarkGate/AutoHotkey.exe
Size

892KB
MD5

a59a2d3e5dda7aca6ec879263aa42fd3
SHA1

312d496ec90eb30d5319307d47bfef602b6b8c6c
SHA256

897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
SHA512

852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030
SSDEEP

24576:bGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhOt:b+tOWnEFZR0El0JEzQAh

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

badbutperfect.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WZqqpfdY
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/2376-1-0x0000000000B50000-0x0000000000BC3000-memory.dmp	family_darkgate_v6
behavioral1/memory/2376-2-0x0000000000B50000-0x0000000000BC3000-memory.dmp	family_darkgate_v6

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe

C:\Users\Admin\AppData\Local\Temp\#DarkGate\AutoHotkey.exe
"C:\Users\Admin\AppData\Local\Temp\#DarkGate\AutoHotkey.exe"
1⤵
PID:2008

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\#DarkGate\AutoHotkey.exe
"C:\Users\Admin\AppData\Local\Temp\#DarkGate\AutoHotkey.exe" C:\Users\Admin\AppData\Local\Temp\#DarkGate\script.ahk
1⤵
- Checks processor information in registry
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-1-0x0000000000B50000-0x0000000000BC3000-memory.dmp

Filesize
460KB

Download
memory/2376-2-0x0000000000B50000-0x0000000000BC3000-memory.dmp

Filesize
460KB

Download