Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 09:51
General
-
Target
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
-
Size
9.2MB
-
MD5
69f900118f985990f488121cd1cf5e2b
-
SHA1
33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
-
SHA256
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
-
SHA512
09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
-
SSDEEP
196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO
Malware Config
Extracted
darkgate
5.2.4
civilian1337
http://185.130.227.202
-
alternative_c2_port
8080
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
2351
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
true
-
crypto_key
VPsTDMdPtonzYs
-
internal_mutex
txtMut
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
civilian1337
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 56 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs
-
Blocklisted process makes network request 31 IoCs
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 93005798CC16D5C490330D850DE6B7522⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-120bc1a5-d3ad-4ac7-9e13-3e2f34c2fbe7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-120bc1a5-d3ad-4ac7-9e13-3e2f34c2fbe7\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-120bc1a5-d3ad-4ac7-9e13-3e2f34c2fbe7\files\windbg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.15⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-120bc1a5-d3ad-4ac7-9e13-3e2f34c2fbe7\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD506946e590a0cbb963e1d14c7a212c5db
SHA19ff682e805331e99198a2e0b38278f6543474471
SHA256950cb5bb19ac35f3f1714d676ffa293b18f593fbd9e09a0a37f6dd8fe9345ef1
SHA512ade7702d6fa03c0a37ca4ac1e4da519ff9848e833949b58c562149c4727f18224aa42fd0a5f235d4c5a5a3ba164e0f12b5239daec6b234bb4d52fc17e3316829
-
Filesize
8.9MB
MD53a4de3260c72e38f814cc2a7b2d42df7
SHA119458fb6838dd9d8be113b0b9983c7d77c12eb25
SHA256411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7
SHA5123493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e
-
Filesize
1.1MB
MD5fd49f38e666f94abdbd9cc0bb842c29b
SHA136a00401a015d0719787d5a65c86784760ee93ff
SHA2561f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f
SHA5122fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612
-
Filesize
1.0MB
MD5f68d2ca13e1268dd79e95591b976ec45
SHA1588454301e3c25065349740573282145aa0a5c7b
SHA256af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460
SHA512a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae
-
Filesize
1.1MB
MD57dbe5e4b98d7601585cfb9697f265e0f
SHA1da8477a2494b1436664c535d7c854bf778942a76
SHA256c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288
SHA51238e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e
-
Filesize
1.0MB
MD585da5b7fd4b6983fffe78853c5276c03
SHA149a68d92beabfdfce7b2939f35a7b3e4bdc2bc96
SHA256ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba
SHA512c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b
-
Filesize
1.0MB
MD5602b44b5e0a94c61c7ae501966eb4fd5
SHA1853f5c83bedd4523cb72ca127cc6c269ac99e2d9
SHA2562e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3
SHA512e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97
-
Filesize
1.1MB
MD59a40cf65a81a8f618a4f562e2494a557
SHA13b06e119cc017bbe99c06906779f40f2d04b08ad
SHA256087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6
SHA512745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920
-
Filesize
1.1MB
MD5452b0afd9436be767a0ee61e98ef0356
SHA1736f12f84f8af0bd04f5b207f31cba8dd359ae03
SHA2560348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a
SHA5122fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338
-
Filesize
92KB
MD58b305b67e45165844d2f8547a085d782
SHA192b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA5122bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6
-
Filesize
1.8MB
MD57673659bf664bd45a6f3c38b7d1c25d3
SHA1a9b40ab4590b77887417ec33ecd061c98490176a
SHA25641339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d
SHA51214ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24
-
Filesize
159KB
MD5008b295295c49c6d07161baff5f7212b
SHA1f89d13817531957967be21327c8180a35960d04d
SHA2569f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134
SHA5126d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e
-
Filesize
542KB
MD5a1defa998f5984c7819cffd68664e00a
SHA19b0b17a2d660a2a51c8188186f394f8fe1650552
SHA256abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f
SHA512792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
1KB
MD5fc9737cb68d2849ca0899483d3085114
SHA19b45abc1e0f0d94b30690b9a07692bde2a12701a
SHA25678f5e7daacb428ad9b9824df030562b8914e3aa3673d9a94bd2c3c4de1074915
SHA51269443f10b0240cfedb88092c84ee87ba32030b3927ebc333986d7bb5fc8bab88e9fad0308bf378bf82d1556c912dbe1b69368d152a930d58df451fe59d209473
-
Filesize
1KB
MD5e1fe1d60405fd25f95dc6c6121182c57
SHA184c142ce458ee16c4f2f2d98e878849942531e48
SHA2561ed15de915b82044364abaec34fffee4404c981ee4c67412c14d7de846afa692
SHA5129b442792535775960d1223b6ff11baffab0b229cf6add575e330073a820cea87af16729b7cc28c108fa58939fbbcaa24ef334413dd7ab7cae079c96aa5fabf53
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.7MB
MD5e30a2775e5c266e0ef6ab732397b0a68
SHA15b450130ded380227053ab32b9a36bb62549f5d9
SHA2561a9d5aff1fe13d02cd2c0114111a79f1fc7ef3b4598ca99ec6bb22d80a36becb
SHA51286f26a8d4ae445f184ba0eaf808dc6cf999557ff3ad97df09cb92418660d16b650f8c22b750b5795f95ed874f4b98b0181ab61e1279dd75ed444a903f3a74921
-
Filesize
6KB
MD5dfc56b78da45084389ce21aa916ca3af
SHA12752398cb0ee14bb11a2ab0c4b38b57cd4bfe109
SHA25653cdc21c5350705aef387acc5b32df6528503390984a0014e64ab243188a9c9a
SHA51295c206b9beefb31f147b459a7bd3c10131ef297708a7d74e34157e46ded9c749916d1d2bedd0074057a0c035c0fdd951dfdf2caf2eac8533036df92b414edbcb
-
Filesize
490KB
MD5e6c14274f52c3de09b65c182807d6fe9
SHA15bd19f63092e62a0071af3bf031bea6fc8071cc8
SHA2565fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9
SHA5127aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
4.0MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
1024KB
-
Filesize
564KB
