darkgate | 1c22852eab3c6aa02f521dac087273f49143b802e2630eed1092488a59be8616

Analysis

max time kernel
48s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dark_drop.exe
Size

1.4MB
MD5

3f8f1fed248e0ad07041f2fa90035d23
SHA1

ed4a5bc659d5195f8be5940e1bc017615cfc4281
SHA256

1c22852eab3c6aa02f521dac087273f49143b802e2630eed1092488a59be8616
SHA512

d64e4d9c26b2dbba321e72daaaa4df85017f4a17aec29365251c37ba12a3cbdf962aeabc7de136f4b68a6afb06d99f7bdb9ad3d644950eeecc4477cd259d7c36
SSDEEP

24576:xjT3E53Myyzl0hMf1tr7Caw8M0tIjsS1jDmLoeO69p:xX3EZpBh211Waw306QS1nmp

Score

10^/10

darkgate kaitoshiba123 stealer

Malware Config

Extracted

Family

darkgate

Botnet

kaitoshiba123

45.63.52.184

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
xNahGBDI
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
kaitoshiba123

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/960-11-0x00000000062E0000-0x000000000666A000-memory.dmp	family_darkgate_v6
behavioral1/memory/960-12-0x00000000062E0000-0x000000000666A000-memory.dmp	family_darkgate_v6

Executes dropped EXE 1 IoCs

pid	Process
960	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 960	2036	dark_drop.exe	95
PID 2036 wrote to memory of 960	2036	dark_drop.exe	95
PID 2036 wrote to memory of 960	2036	dark_drop.exe	95

C:\Users\Admin\AppData\Local\Temp\dark_drop.exe
"C:\Users\Admin\AppData\Local\Temp\dark_drop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- \??\c:\st\Autoit3.exe
  "c:\st\Autoit3.exe" c:\st\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\st\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\st\script.a3x

Filesize
498KB

MD5
02228d72ef11e2c0e58b38c7d8794bd7

SHA1
753bc50bebdce1e1c20b4efd77293f62da64ce81

SHA256
f16e3dd058e8c28bb0c213918b929b91b4c137792b0ad84af7dbc70f8a70b93c

SHA512
8c2ae997683a7aeee859cdf1ec5cbac3ec60881fd6ef73c0f73ef956ef3475434eb86d34079f0ae08341acfbae40bb60c4ac60ad6b47737e71117b89e0c15c45

Download Submit
\??\c:\st\test.txt

Filesize
76B

MD5
c6923af1210afd6b3bddc1efbe63a45f

SHA1
5da306e4a86bd5290cc0b2bee646822b274d664e

SHA256
0354c76f7f436d9be7b5963c6918168c96e71166d3392b0f472d2ccef2396560

SHA512
e4f53f7e74922066b61216dc380577915e3dc7ee3fcd013ab211511266d9d35ba57e3bae96b3d504333abb050535913f1ea4f455157cf6d1b79ef256bbacbc86

Download Submit
memory/960-10-0x0000000004DD0000-0x0000000005DA0000-memory.dmp

Filesize
15.8MB

Download
memory/960-11-0x00000000062E0000-0x000000000666A000-memory.dmp

Filesize
3.5MB

Download
memory/960-12-0x00000000062E0000-0x000000000666A000-memory.dmp

Filesize
3.5MB

Download
memory/2036-5-0x0000000000400000-0x0000000000567000-memory.dmp

Filesize
1.4MB

Download