Overview

overview

10

Static

static

3

Tax_Docume...df.exe

windows7-x64

10

Tax_Docume...df.exe

windows10-2004-x64

10

Tax_Docume...32.dll

windows7-x64

10

Tax_Docume...32.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06e916ab0dcf4f5f0dd637bffb2db12e22d1a5a9fc511066a42a58a8fc486290

  • Size

    13.9MB

  • Sample

    240527-ghjx1sab4s

  • MD5

    2dd1a7c3a1e315e310ce0a8af9e57afb

  • SHA1

    38092153924993101933d60a33394260f20468ce

  • SHA256

    06e916ab0dcf4f5f0dd637bffb2db12e22d1a5a9fc511066a42a58a8fc486290

  • SHA512

    1960fb0e9ca539bc0937552b9dfb267a524bdfd1229667bb35c51905202d166a1506ea881a2d83aac16102066b4027744bca402fbe7b6e9cd4f285a5ec602269

  • SSDEEP

    393216:Zl5NWtRrOiUCqI/kz0MlAey2/CdvddZeg/oJFa5g9sJ0SspW7:9NWvxxR/kHl3kFVoJFUg9AB

Score
10/10
darkgateseal001persistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

seal001

C2

185.196.220.194

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    QPNVenzK

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    false

  • username

    seal001

Targets

    • Target

      Tax_Document.pdf/Tax_Document.pdf.exe

    • Size

      8.7MB

    • MD5

      04b527ca1b634ee5ed0cad4ab6ddd407

    • SHA1

      5f1bcd549190d3a34e8b574fe1820583c60f9caf

    • SHA256

      b54c8e984dbfed0bb80a5fdff2637a2e56a146f85a2712c29bef509d088ceb69

    • SHA512

      04fb6e32258bbe4a809da69d87dcac9fe3867402e7bab6b0a3fa6c42a46754665cf81d975a97c98c50b97aa870f164a48fec4eedc6a69214e6ff7a18b850b720

    • SSDEEP

      196608:dIgfnrpGKt1OEb0QtF+OCd6EWhKUzGZBvRadSP+fsjp8//k:dIgFGKtcEb0QtFf0WhKUzGZBvRadWy/k

    Score
    10/10
    darkgateseal001persistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral1behavioral2

    • Target

      Tax_Document.pdf/ielang32.dll

    • Size

      25.9MB

    • MD5

      647f308409cfd66101daee8c55629b85

    • SHA1

      26e2427579a09fa723f879264103d8a812483b45

    • SHA256

      676c368ea2f76f770e15d891bd2d7756c8471792d73e91f7d0b619ca8c6d6a3e

    • SHA512

      c9c43cc525271c9f377e8c0a84a30bf4fdaf15d522f49961ca5b5172333b4dbeb59213ac71c1aafdaa8ff0261142472adbaa6e9b6c46db32400a6e5ea4bf7039

    • SSDEEP

      196608:p5H3zHriM3lONIfjm0S6VFWxtswdO8Nw3MRfW8+IiAp7kz8roTsWbbh7nkMU89hv:frmKSPoTsWbbh7nkMzRNc4Y/kyZpJIP

    Score
    10/10
    darkgateseal001persistencestealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks