darkgate | 0b08482e975eed268c1b993dea2117773202e1840f0fa78c16af0cf72c323e10

General

Target

Tax_Document/Tax_Document.exe
Size

8.7MB
MD5

82c79145a8b9ee07616580f47a9c513b
SHA1

63befbb194fb39f85ab6a1d0ad503175b537ce5b
SHA256

5873ba2f7cb3d3611a827c9ee73953ac78482f06b647cd2c1ab76523fc9386e9
SHA512

cc4f8b2f8cf80bf19c37212be6e4111904e393f5d881370653f3fdd4759c223bfb9a0568b5c8bfa7709c997e8d1aafdd0ac6c374346ded2977acfd03cba2274d
SSDEEP

196608:/wdH1UbkCchr3plFE5GFWhKUzGZ3gRTFWh6LKL8//U:/wZ1Ubkxhr3plFjWhKUzGZ3gRTFWMKoM

Score

10^/10

darkgate seal001 persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

seal001

C2

185.196.220.194

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
mhRnEzBH
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
seal001

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 8 IoCs

resource	yara_rule
behavioral1/memory/2784-8-0x0000000010000000-0x0000000011A7C000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-12-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-14-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6
behavioral1/memory/2784-15-0x0000000010000000-0x0000000011A7C000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-18-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-19-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-21-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6
behavioral1/memory/2664-23-0x00000000000D0000-0x0000000000143000-memory.dmp	family_darkgate_v6

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\*SentinelOne = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\SentinelOne.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2784	Tax_Document.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Tax_Document.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tax_Document.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2664	Tax_Document.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2664	Tax_Document.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2784	Tax_Document.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2664	2784	Tax_Document.exe	28
PID 2784 wrote to memory of 2700	2784	Tax_Document.exe	29
PID 2784 wrote to memory of 2700	2784	Tax_Document.exe	29
PID 2784 wrote to memory of 2700	2784	Tax_Document.exe	29
PID 2784 wrote to memory of 2700	2784	Tax_Document.exe	29
PID 2700 wrote to memory of 2724	2700	cmd.exe	31
PID 2700 wrote to memory of 2724	2700	cmd.exe	31
PID 2700 wrote to memory of 2724	2700	cmd.exe	31
PID 2700 wrote to memory of 2724	2700	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\Tax_Document\Tax_Document.exe
"C:\Users\Admin\AppData\Local\Temp\Tax_Document\Tax_Document.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\Tax_Document\Tax_Document.exe
  "C:\Users\Admin\AppData\Local\Temp\Tax_Document\Tax_Document.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-10-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-23-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-21-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-9-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2664-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-19-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-18-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-5-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2664-12-0x00000000000D0000-0x0000000000143000-memory.dmp

Filesize
460KB

Download
memory/2784-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2784-15-0x0000000010000000-0x0000000011A7C000-memory.dmp

Filesize
26.5MB

Download
memory/2784-8-0x0000000010000000-0x0000000011A7C000-memory.dmp

Filesize
26.5MB

Download
memory/2784-2-0x0000000001220000-0x0000000001AF4000-memory.dmp

Filesize
8.8MB

Download
memory/2784-4-0x0000000010000000-0x0000000011A7C000-memory.dmp

Filesize
26.5MB

Download
memory/2784-1-0x0000000010000000-0x0000000011A7C000-memory.dmp

Filesize
26.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads