darkgate | b75ece80459484ede3714a162a30b45c83a68e997b8d3113e46b67a217171b45

Resubmissions

01-04-2024 11:43

240401-nvy12add4x 10

Analysis

max time kernel
36s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-04-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dark_drop.exe
Size

1.4MB
MD5

eae4a347090c3b74427b670225994cb1
SHA1

b750acfa76ed943d0b3cb77870fb6776a90d62d6
SHA256

b75ece80459484ede3714a162a30b45c83a68e997b8d3113e46b67a217171b45
SHA512

01bdb27df08aebaf14f98517a2c32c1e1ce898e2a9e0a88c1a8e26d0fa1be49ddc59fce9794abbb9ba72d65a1d925c0f6e765e1f7fba10274974514ed0c700c9
SSDEEP

24576:yjT3E53Myyzl0hMf1tr7Caw8M0bFkOoQGNuyvfFBc4Sub:yX3EZpBh211Waw30GOoQGNuyvNB8u

Score

10^/10

darkgate kaitoshiba123 stealer

Malware Config

Extracted

Family

darkgate

Botnet

kaitoshiba123

45.63.52.184

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
fnviivee
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
kaitoshiba123

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/1868-12-0x0000000003680000-0x0000000004650000-memory.dmp	family_darkgate_v6
behavioral1/memory/1868-13-0x0000000004B20000-0x0000000004EB2000-memory.dmp	family_darkgate_v6

Executes dropped EXE 1 IoCs

pid	Process
1868	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
1784	dark_drop.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1868	1784	dark_drop.exe	28
PID 1784 wrote to memory of 1868	1784	dark_drop.exe	28
PID 1784 wrote to memory of 1868	1784	dark_drop.exe	28
PID 1784 wrote to memory of 1868	1784	dark_drop.exe	28

C:\Users\Admin\AppData\Local\Temp\dark_drop.exe
"C:\Users\Admin\AppData\Local\Temp\dark_drop.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784
- \??\c:\st\Autoit3.exe
  "c:\st\Autoit3.exe" c:\st\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\st\script.a3x

Filesize
505KB

MD5
2eb0028dfa9ef9a4a9d095225fbdec8b

SHA1
153c51cd123b747d7552112bb3bd1e607e07cde1

SHA256
c3bbe2dd0016fdf64dd86fb49d6e95e99489381f188425c2f7e9b7d4b7d5e86c

SHA512
f55cd9b8c190de8a628623883aeba408ce7ff598d7203f7b60a392dc31be4a51a62896293e975f52cdc60e497539eb47dcd069268b3cd6c05b40fea3423afb22

Download Submit
\??\c:\st\test.txt

Filesize
76B

MD5
b0e0f5e33fa8e73f4951b0f00eaf6fce

SHA1
16442a21dc55bb2021c9bca6bed1398b95835c1a

SHA256
9f2c071c875e7275c95405e06e48a5b03d8acaa04d268541ead3af0dcea7bd9d

SHA512
f1e5a6ce6987e7633dd1fe1c80d245b8f188f9d2f5d1749e55389444ddde9e3ec9d7c20b1e8faa54f31246a4af643f1ccb474f787c104296181f2beb81e5c467

Download Submit
\st\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1784-7-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1868-12-0x0000000003680000-0x0000000004650000-memory.dmp

Filesize
15.8MB

Download
memory/1868-13-0x0000000004B20000-0x0000000004EB2000-memory.dmp

Filesize
3.6MB

Download