Overview

overview

10

Static

static

3

AutoHotkey.exe

windows7-x64

10

AutoHotkey.exe

windows10-2004-x64

10

Resubmissions

17-04-2024 12:11

240417-pcq35sec42 10

17-04-2024 01:45

240417-b6qsksbg6z 3

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AutoHotkey.exe

  • Size

    892KB

  • MD5

    a59a2d3e5dda7aca6ec879263aa42fd3

  • SHA1

    312d496ec90eb30d5319307d47bfef602b6b8c6c

  • SHA256

    897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

  • SHA512

    852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030

  • SSDEEP

    24576:bGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhOt:b+tOWnEFZR0El0JEzQAh

Score
10/10
darkgateadmin888stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

backupssupport.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    rNDPYLnH

  • minimum_disk

    50

  • minimum_ram

    4000

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe"
    1⤵
      PID:328
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3904
      • C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
        "C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe" C:\Users\Admin\AppData\Local\Temp\script.ahk
        1⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4316
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
          PID:4016

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4316-0-0x0000000002D90000-0x0000000002E05000-memory.dmp

          Filesize

          468KB

          Download

        • memory/4316-2-0x0000000002D90000-0x0000000002E05000-memory.dmp

          Filesize

          468KB

          Download