darkgate | 5b3382faf060e55b994fb6fb9adc023b75ead723e0213c64fabd22a65f59e88c

Analysis

max time kernel
615s
max time network
873s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abc.exe
Size

39KB
MD5

f1b14f71252de9ac763dbfbfbfc8c2dc
SHA1

dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
SHA256

796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
SHA512

636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
SSDEEP

768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh

Score

10^/10

darkgate kaitoshiba123 stealer

Malware Config

Extracted

Family

darkgate

Botnet

kaitoshiba123

45.63.52.184

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
EhuJByqk
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
kaitoshiba123

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/2356-12-0x00000000058F0000-0x0000000005C7A000-memory.dmp	family_darkgate_v6
behavioral1/memory/2356-13-0x00000000058F0000-0x0000000005C7A000-memory.dmp	family_darkgate_v6

Executes dropped EXE 1 IoCs

pid	Process
2356	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2356	3532	abc.exe	74
PID 3532 wrote to memory of 2356	3532	abc.exe	74
PID 3532 wrote to memory of 2356	3532	abc.exe	74

C:\Users\Admin\AppData\Local\Temp\abc.exe
"C:\Users\Admin\AppData\Local\Temp\abc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3532
- \??\c:\st\Autoit3.exe
  "c:\st\Autoit3.exe" c:\st\script.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\st\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\st\script.a3x

Filesize
497KB

MD5
c0c95d1fdb4869d5dcdebf71f1020f70

SHA1
53185cef67cbdfc5f691aeeba5cdf2dba27b359a

SHA256
025bd7399df23c0c8c4335b74a77eac8f0ec79ab0860279f73f78a4e6393cff1

SHA512
90dc03c63e139ed6398bc5676d3cf8b56c72d23497ea841b68cd8e4c953e7085f1754f6414bec603ced4679432ea1a7c412881e5cce45e3df1afc7590235df6f

Download Submit
\??\c:\st\test.txt

Filesize
76B

MD5
0ba726a9e4dc56556d86a1f7b2e7be74

SHA1
60e8031fc78884c5e593f645656544fade59435c

SHA256
79a979299ea480989fe7cfefe64da2f99e527418bdc6db7f109fd132e3183ac2

SHA512
cdb206f9d8fac3d1533760a79129fd562d580e9b300117663e0fb877f31dfdc7121a5c051fd2af6380a04cd5bac370f9b6bb1c55bdfd25dadda7d6ec386f2d3c

Download Submit
memory/2356-11-0x00000000043E0000-0x00000000053B0000-memory.dmp

Filesize
15.8MB

Download
memory/2356-12-0x00000000058F0000-0x0000000005C7A000-memory.dmp

Filesize
3.5MB

Download
memory/2356-13-0x00000000058F0000-0x0000000005C7A000-memory.dmp

Filesize
3.5MB

Download
memory/3532-0-0x0000000002670000-0x00000000027D7000-memory.dmp

Filesize
1.4MB

Download
memory/3532-6-0x0000000002670000-0x00000000027D7000-memory.dmp

Filesize
1.4MB

Download