Overview

overview

10

Static

static

3

Tax_Docume...nt.exe

windows7-x64

10

Tax_Docume...nt.exe

windows10-2004-x64

10

Tax_Docume...32.dll

windows7-x64

10

Tax_Docume...32.dll

windows10-2004-x64

10

Tax_Docume...w2.ps1

windows7-x64

1

Tax_Docume...w2.ps1

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Tax_Document.zip

  • Size

    14.1MB

  • Sample

    240423-nea92aff76

  • MD5

    22b034a549c28a71758f69ca7fe13313

  • SHA1

    7cc000bb7719212e761e169360480fb8f353095b

  • SHA256

    0b08482e975eed268c1b993dea2117773202e1840f0fa78c16af0cf72c323e10

  • SHA512

    63b1475566b64b6b3fadf10cc7599768af6bbf9050080ebaea45614bd1283be88452863802c0a2ef51d1efb052dcaf951e8e8638c2ba81c9f26596170fa6b203

  • SSDEEP

    196608:4crHalTpVRKvjIPuYH4hVlDexN9x4sRFpxQIm80Vb/rhDGhWgPbjDe+ZZ:4iMTpb0OHkXeNx9Fpx7d0/SWgbjDX

Score
10/10
darkgateseal001persistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

seal001

C2

185.196.220.194

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    mhRnEzBH

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    false

  • username

    seal001

Targets

    • Target

      Tax_Document/Tax_Document.exe

    • Size

      8.7MB

    • MD5

      82c79145a8b9ee07616580f47a9c513b

    • SHA1

      63befbb194fb39f85ab6a1d0ad503175b537ce5b

    • SHA256

      5873ba2f7cb3d3611a827c9ee73953ac78482f06b647cd2c1ab76523fc9386e9

    • SHA512

      cc4f8b2f8cf80bf19c37212be6e4111904e393f5d881370653f3fdd4759c223bfb9a0568b5c8bfa7709c997e8d1aafdd0ac6c374346ded2977acfd03cba2274d

    • SSDEEP

      196608:/wdH1UbkCchr3plFE5GFWhKUzGZ3gRTFWh6LKL8//U:/wZ1Ubkxhr3plFjWhKUzGZ3gRTFWMKoM

    Score
    10/10
    darkgateseal001persistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      Tax_Document/ielib32.dll

    • Size

      110.0MB

    • MD5

      2a7800c9c6946b0ca7fc001718200077

    • SHA1

      8ad125f9606f52cd24a1826c758be7ad8f8efb87

    • SHA256

      d6ac1a49418337697b101c8f9deb76e7a4c865948eafe7b8b3c9beac5ec41877

    • SHA512

      609f1ae90d783c43a9956b2fd5add64787608ea7fa78605fdc5b507f745e7c9a6d086b55193858e13e9c1df53dce40e0cb9032468d6913b63b3004b2dcd0ae0a

    • SSDEEP

      393216:3rmKSPoTsWbbh7nkM/RNc4Y/kyZpJI+4:bmwsi1D2kyZo

    Score
    10/10
    darkgateseal001persistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

    • Target

      Tax_Document/maryw2.pdf

    • Size

      79KB

    • MD5

      8eab84ef65499ceccd8e7f80511dffeb

    • SHA1

      6bc42315f2721eee28ad132f3d5bfbe52cfe5559

    • SHA256

      04ca2080b25446c5032ac35d4be996a0d327c8c5e140540d9254c9384fc5b79c

    • SHA512

      387f90c1fc468f2f2b4e2e4b2dc9f81ee09d463f24b529e02c97c9b9f6ca5e938e84d090d1daf11ccc4d2437afd8a63eceef755fa9bcddefe84e767fd6ad3f3e

    • SSDEEP

      1536:+zmkXxwjXEc0zPiKir5c6VSQepaV6xnHNVYBeE:+tx8lc6VSlpJxGj

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks