darkgate | a5e655ef647c441240212e9544ffde5583a81546775a4388e64f5952308ab58a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

read.wsf
Size

243KB
MD5

60e923dc50030bf27a8aa27c0eeff59c
SHA1

047262b4503b784dfe7d13b4bc990ebefa9056a0
SHA256

a5e655ef647c441240212e9544ffde5583a81546775a4388e64f5952308ab58a
SHA512

542895a3a0e20e8cf3488189323bccb4fdc2d5af108811335baaae2ab384edcc92ecab63d3ee6378529371346ec2fcc7206019fa37df17ddf923507945816795
SSDEEP

6144:Haw0sOMp/Ln6tPRd4iRZ0WO5EVWK7DF2WsdZgup4BD+P:asOMpcRZV/2WQZ/M6

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

backupssupport.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
rNDPYLnH
minimum_disk
50
minimum_ram
4000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/2416-55-0x00000000022C0000-0x0000000002335000-memory.dmp	family_darkgate_v6
behavioral1/memory/2416-57-0x00000000022C0000-0x0000000002335000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2260	WScript.exe
6	2260	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	Autohotkey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autohotkey.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autohotkey.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2416	Autohotkey.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2416	2260	WScript.exe	29
PID 2260 wrote to memory of 2416	2260	WScript.exe	29
PID 2260 wrote to memory of 2416	2260	WScript.exe	29
PID 2260 wrote to memory of 2416	2260	WScript.exe	29

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\read.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2260
- C:\KViM\Autohotkey.exe
  "C:\KViM\Autohotkey.exe" "c:\KViM\script.ahk"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KViM\AutoHotkey.exe

Filesize
892KB

MD5
a59a2d3e5dda7aca6ec879263aa42fd3

SHA1
312d496ec90eb30d5319307d47bfef602b6b8c6c

SHA256
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

SHA512
852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

Download Submit
C:\KViM\file.zip

Filesize
777KB

MD5
60817831fc3ea259d45c9a537172f080

SHA1
bc6be7d44565b13e1008a3b962abc9bc6ee44217

SHA256
75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c

SHA512
02fc5b1202897e0d1d99ff636ab43b9d4bb6335f1fc538bd63d361b4025584f8196504f4366668dc919c1c8cb52eea3742fdf8746748dae00bef4af0c606ebdd

Download Submit
C:\KViM\test.txt

Filesize
930KB

MD5
09d0df57b9e2d00852322828d9791bec

SHA1
9c31734e88aaa19934cfd490a088d1d255103db7

SHA256
51163c6eb169dfe30ebdbdc3193c25ecb264b7bd6e2e250be9824563f383464f

SHA512
11479b5c09a3bb0b0216908895b7f6c6f6f640fc493b7463402ce796c3cd54bfca8443e8889f5a4f352d830074c08c6e75035618ee17db4f144023b853709ba6

Download Submit
\??\c:\KViM\script.ahk

Filesize
441B

MD5
334f3fd6c9fe35fa7d5e7d2780d636ee

SHA1
127f6bc9b9a42bf7036c3f39d66c87d32cddeaa2

SHA256
1c4d704dcf8a341a8a6129743b1eb84681d53c4459cdb62fe2954e41adfed961

SHA512
03389f83f96d6641e60003b6787a2f2726fc0affb6de9b9f92512fc79c49ca1c8d5448e3111f696ca1aa1c2b7268017f819e56292e8a3ed7d2d5f9224efb8e22

Download Submit
memory/2416-55-0x00000000022C0000-0x0000000002335000-memory.dmp

Filesize
468KB

Download
memory/2416-57-0x00000000022C0000-0x0000000002335000-memory.dmp

Filesize
468KB

Download