Overview

overview

10

Static

static

3

AutoHotkey.exe

windows7-x64

10

AutoHotkey.exe

windows10-2004-x64

10

Resubmissions

17-04-2024 12:11

240417-pcq35sec42 10

17-04-2024 01:45

240417-b6qsksbg6z 3

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AutoHotkey.exe

  • Size

    892KB

  • MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

  • SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

  • SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

  • SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

  • SSDEEP

    24576:bGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhOt:b+tOWnEFZR0El0JEzQAh

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

backupssupport.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    rNDPYLnH

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe"
    1⤵
      PID:1652
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:2680
      • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
        "C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe" C:\Users\Admin\AppData\Local\Temp\script.ahk
        1⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2508
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1600-4-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1600-3-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1600-5-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2508-1-0x0000000002350000-0x00000000023C5000-memory.dmp

        Filesize

        468KB

        Download

      • memory/2508-2-0x0000000002350000-0x00000000023C5000-memory.dmp

        Filesize

        468KB

        Download