darkgate | 606d23a8f451eeeb802261b8c279da0185d061d971e01139da4435f75eab56e4 | Triage

Submit
Reports

Overview

overview

Static

static

3

msimg32.dll

windows7-x64

msimg32.dll

windows10-2004-x64

Sharing

General

Target

msimg32.dll
Size

45.0MB
Sample

240523-zwzvhage27
MD5

4c0e5b5e7d6499fb1266a0b888c84bb7
SHA1

fed0f8a5c5d46475afb46e2322b982316fe7ae62
SHA256

606d23a8f451eeeb802261b8c279da0185d061d971e01139da4435f75eab56e4
SHA512

fdec219de86ccf8859960ec0d79dc8d41e55f58fdf4b08340f182e5e5d8f1c3f23b7d692920882d9b1b0a2cc68305e96677cbd2353899356aad8f8e282e6afad
SSDEEP

786432:MUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpA:MUP7GCG6iSrkx1hSzYsHQD3t/RK

Score

10^/10

darkgate tompang persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

msimg32.dll

Resource

win7-20240221-en

darkgate tompang persistence stealer

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

msimg32.dll

Resource

win10v2004-20240426-en

darkgate tompang persistence stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

tompang

C2

78.142.18.222

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ClUqWMEv
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
tompang

Targets

- Target
  
  msimg32.dll
- Size
  
  45.0MB
- MD5
  
  4c0e5b5e7d6499fb1266a0b888c84bb7
- SHA1
  
  fed0f8a5c5d46475afb46e2322b982316fe7ae62
- SHA256
  
  606d23a8f451eeeb802261b8c279da0185d061d971e01139da4435f75eab56e4
- SHA512
  
  fdec219de86ccf8859960ec0d79dc8d41e55f58fdf4b08340f182e5e5d8f1c3f23b7d692920882d9b1b0a2cc68305e96677cbd2353899356aad8f8e282e6afad
- SSDEEP
  
  786432:MUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpA:MUP7GCG6iSrkx1hSzYsHQD3t/RK
Score

10^/10

darkgate tompang persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkgatetompangpersistencestealer

behavioral2

darkgatetompangpersistencestealer

© 2018-2024

Terms | Privacy