Overview

overview

10

Static

static

1

75db6f9494...14.vbs

windows7-x64

10

75db6f9494...14.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14.vbs

  • Size

    1KB

  • MD5

    32f61baa669991fb989439babaf493ff

  • SHA1

    4242d545077e3e643854e3148e00c8283533b9ab

  • SHA256

    75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14

  • SHA512

    d20bf0b9a664caa9e9fe18dcb3899182b8f8bbb0275907bec6e3e888c0d2cd36a17ba24c49a3b92910ee075e6309aef5b8cf9392acf5833d66c0fbdcd3fdc2df

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

backupssupport.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    rNDPYLnH

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\QLlT\Autohotkey.exe
      "C:\QLlT\Autohotkey.exe" "c:\QLlT\script.ahk"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\QLlT\AutoHotkey.exe
    Filesize

    892KB

    MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

    SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

    SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

    SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

    Download Submit

  • C:\QLlT\file.zip
    Filesize

    777KB

    MD5

    60817831fc3ea259d45c9a537172f080

    SHA1

    bc6be7d44565b13e1008a3b962abc9bc6ee44217

    SHA256

    75d89fd4aa29e97e8859bdf734602490da0f90a4fd5213f737857d971c82e80c

    SHA512

    02fc5b1202897e0d1d99ff636ab43b9d4bb6335f1fc538bd63d361b4025584f8196504f4366668dc919c1c8cb52eea3742fdf8746748dae00bef4af0c606ebdd

    Download Submit

  • C:\QLlT\test.txt
    Filesize

    930KB

    MD5

    09d0df57b9e2d00852322828d9791bec

    SHA1

    9c31734e88aaa19934cfd490a088d1d255103db7

    SHA256

    51163c6eb169dfe30ebdbdc3193c25ecb264b7bd6e2e250be9824563f383464f

    SHA512

    11479b5c09a3bb0b0216908895b7f6c6f6f640fc493b7463402ce796c3cd54bfca8443e8889f5a4f352d830074c08c6e75035618ee17db4f144023b853709ba6

    Download Submit

  • \??\c:\QLlT\script.ahk
    Filesize

    441B

    MD5

    334f3fd6c9fe35fa7d5e7d2780d636ee

    SHA1

    127f6bc9b9a42bf7036c3f39d66c87d32cddeaa2

    SHA256

    1c4d704dcf8a341a8a6129743b1eb84681d53c4459cdb62fe2954e41adfed961

    SHA512

    03389f83f96d6641e60003b6787a2f2726fc0affb6de9b9f92512fc79c49ca1c8d5448e3111f696ca1aa1c2b7268017f819e56292e8a3ed7d2d5f9224efb8e22

    Download Submit

  • memory/2368-53-0x0000000002370000-0x00000000023E5000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2368-54-0x0000000002370000-0x00000000023E5000-memory.dmp

    Filesize

    468KB

    Download