darkgate | 5ebc417a27fd967aea3e1946218ab4777b5440154fd62f5107958ca18cbdd7c1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe
Size

5.8MB
MD5

9141124b2e5134ebf702b7ef23d23637
SHA1

4c404f9d2c165c8af4734d2179626503195c15f7
SHA256

ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c
SHA512

cfe9e92dd4a7713143115386b4af4e5191c8f1caf4e616f7a68b4dc4018bff7ac0e42394b80fed8571ec834c10f4ba308a6a77d6b700a0920e31b9a87a0497d1
SSDEEP

49152:1MjL2Ell1rb/TQvO90d7HjmAFd4A64nsfJDrM/otoaYUcDX7OBtMy7AT5eovoYid:I1MbHXKF7AT59s8ibQE+gz

Score

10^/10

darkgate admin888 stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

wear626.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
TNduHZgm
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 5 IoCs

resource	yara_rule
behavioral1/memory/2976-8-0x00000000000C0000-0x0000000000137000-memory.dmp	family_darkgate_v6
behavioral1/memory/2976-6-0x00000000000C0000-0x0000000000137000-memory.dmp	family_darkgate_v6
behavioral1/memory/2976-10-0x00000000000C0000-0x0000000000137000-memory.dmp	family_darkgate_v6
behavioral1/memory/2976-12-0x00000000000C0000-0x0000000000137000-memory.dmp	family_darkgate_v6
behavioral1/memory/2976-15-0x00000000000C0000-0x0000000000137000-memory.dmp	family_darkgate_v6

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	BitLockerToGo.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 1960 wrote to memory of 2976	1960	ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe	28
PID 2976 wrote to memory of 2264	2976	BitLockerToGo.exe	29
PID 2976 wrote to memory of 2264	2976	BitLockerToGo.exe	29
PID 2976 wrote to memory of 2264	2976	BitLockerToGo.exe	29
PID 2976 wrote to memory of 2264	2976	BitLockerToGo.exe	29
PID 2264 wrote to memory of 2712	2264	cmd.exe	31
PID 2264 wrote to memory of 2712	2264	cmd.exe	31
PID 2264 wrote to memory of 2712	2264	cmd.exe	31
PID 2264 wrote to memory of 2712	2264	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe
"C:\Users\Admin\AppData\Local\Temp\ea9b553105dd8302e968588983b3cb34babd71c445df032b3df0d0a329a1801c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2976
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\defbedh\dcahffk
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\defbedh\dcahffk

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
memory/1960-4-0x000000013F450000-0x000000013FA7D000-memory.dmp

Filesize
6.2MB

Download
memory/1960-9-0x000000013F450000-0x000000013FA7D000-memory.dmp

Filesize
6.2MB

Download
memory/2976-5-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download
memory/2976-8-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download
memory/2976-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-6-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download
memory/2976-10-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download
memory/2976-12-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download
memory/2976-15-0x00000000000C0000-0x0000000000137000-memory.dmp

Filesize
476KB

Download