Overview

overview

10

Static

static

1

rmtixfwn.ps1

windows7-x64

3

rmtixfwn.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rmtixfwn.ps1

  • Size

    243B

  • Sample

    240507-n41k8ahd99

  • MD5

    b37f28fd9b296552224c51f74b89321d

  • SHA1

    8fbd4979d302f20cb6133140391d3fc32644c61e

  • SHA256

    173874e3043653514f5c49e0fec9473043c6cf9f6c441d23efd8555f0e9f1b90

  • SHA512

    246906359d2e8bd442c4a046856cc0f8e2d16a142bde93bcfc4c334d3e9b3af55cd3ce4c89a5c088e3e1e914bbd3d4909cbf33c9f9a90343f4bd25c783e67f9e

Score
10/10
darkgateadmin888executionstealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

updateleft.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    SbCjRKFB

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Targets

    • Target

      rmtixfwn.ps1

    • Size

      243B

    • MD5

      b37f28fd9b296552224c51f74b89321d

    • SHA1

      8fbd4979d302f20cb6133140391d3fc32644c61e

    • SHA256

      173874e3043653514f5c49e0fec9473043c6cf9f6c441d23efd8555f0e9f1b90

    • SHA512

      246906359d2e8bd442c4a046856cc0f8e2d16a142bde93bcfc4c334d3e9b3af55cd3ce4c89a5c088e3e1e914bbd3d4909cbf33c9f9a90343f4bd25c783e67f9e

    Score
    10/10
    executiondarkgateadmin888stealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks