General
-
Target
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.zip
-
Size
9.0MB
-
Sample
240402-lvp21sdf66
-
MD5
1436043a0d506257e4593c45d27ba6e7
-
SHA1
548920b478029c5fb5ec32b0f6d61e788e4875a7
-
SHA256
c665dd9dfada367106c49516679a626f6f8a0e6cd020a88381f6f3d77f6c4ea6
-
SHA512
c5b6851879198c417efa564d0ace2f76caf51e6028730668a63935ae0758252b4f44327158b246cf2309caa8dabed8ae69bf939c14ec0f5a8b2cd0b6653c7e2a
-
SSDEEP
196608:SzKuzIVD/mzmXtSFwDo2Uvf2JuEQBR+XGcbCZ14D:GkMKkSX2wD
Malware Config
Extracted
darkgate
5.2.4
civilian1337
http://185.130.227.202
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
true
-
crypto_key
VPsTDMdPtonzYs
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Targets
-
-
Target
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
-
Size
9.2MB
-
MD5
69f900118f985990f488121cd1cf5e2b
-
SHA1
33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
-
SHA256
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
-
SHA512
09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
-
SSDEEP
196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Score10/10-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Drops startup file
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-