Overview

overview

10

Static

static

1

58e2f78632...94.msi

windows7-x64

10

58e2f78632...94.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.zip

  • Size

    1.9MB

  • Sample

    240402-l619esef86

  • MD5

    8f16f753c5d05d0eee0744cce45f0fe8

  • SHA1

    2d642259dfb6f0af287df5da441bf1bc02ea3bca

  • SHA256

    e1fa81a3141dd19930f5ad8e27b342c2b97bc5204e726b3bc966b3fa309ae020

  • SHA512

    eaf61e1e3ace6ff51f3bed5114248edd6cc0c688694c02a9d313ef497c83f58e85df1971f702cc928c4bfd52119edf9eae95ca4702f4ead015f4cb947f6a9ee2

  • SSDEEP

    49152:R20ATLl9G2Tiwd73slIA4svQveEw2z7DH2d6sI6PUIW04G:I0ATJ9G2Tdt3mIAdQveR2z/PsI9Sh

Score
10/10
darkgateadmin888discoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

jenb128hiuedfhajduihfa.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    RZymDRsm

  • minimum_disk

    100

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Extracted

Family

darkgate

Version

6.1.7

Botnet

admin888

C2

jenb128hiuedfhajduihfa.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    RZymDRsm

  • minimum_disk

    100

  • minimum_ram

    7000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994.msi

    • Size

      4.3MB

    • MD5

      4f238c2093606fc296f1f819c2f0fc67

    • SHA1

      f8535858fcee6b96e0f49e6156fa110fc0698880

    • SHA256

      58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994

    • SHA512

      c2422db8871d6303b5903c4b11cca3debd62cb25a406655db5a0ba407f33c9fef739371d297e5ccad45efc99e040e6ae29079b4b9325f52d54c5e780f8c346f7

    • SSDEEP

      49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU

    Score
    10/10
    darkgateadmin888discoverystealerpersistence

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Modifies file permissions

      discovery

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks