Overview

overview

10

Static

static

1

QB-04_02_2...BA.vbs

windows7-x64

3

QB-04_02_2...BA.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QB-04_02_24_inv765541BA.vbs

  • Size

    8KB

  • Sample

    240402-tgryfseg8y

  • MD5

    29552b793e8d97538afff1aaf566a625

  • SHA1

    e3931fca0386f00e1c246039c3491b686e5d8354

  • SHA256

    5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831

  • SHA512

    a847bcc585e75118920548bce0ab85cc4f9f3305052dc835a2cdf7ec127982e7d2e94519505c73c429709665b231ba259477f5efe468815ea1c237edd247f2f6

  • SSDEEP

    192:YMg119gkCtL3IqSPN3QzGNzUoNJnN/Y99957:jy19gR3IquNgzG2oNl4

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

31yc.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xIpQnKfo

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      QB-04_02_24_inv765541BA.vbs

    • Size

      8KB

    • MD5

      29552b793e8d97538afff1aaf566a625

    • SHA1

      e3931fca0386f00e1c246039c3491b686e5d8354

    • SHA256

      5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831

    • SHA512

      a847bcc585e75118920548bce0ab85cc4f9f3305052dc835a2cdf7ec127982e7d2e94519505c73c429709665b231ba259477f5efe468815ea1c237edd247f2f6

    • SSDEEP

      192:YMg119gkCtL3IqSPN3QzGNzUoNJnN/Y99957:jy19gR3IquNgzG2oNl4

    Score
    10/10
    darkgateadmin888stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks