darkgate | 432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9

Analysis

max time kernel
79s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe
Size

860KB
MD5

0a7a7c719e206be3eac0992419d33436
SHA1

33672a2c3fee595510ef7e7120166e22b6deb0a1
SHA256

432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9
SHA512

33cac9cde43d648f94df2d17703fe2977e59b9ff5e1068b25cbce24e877f0f8e9faf18584e032a8556c873395828fa1926e93d3b95c9e09fe723771e49ff8d99
SSDEEP

12288:8GrXjM2wkXJGGXbkqPcP7r9r/+ppppppppppppppppppppppppppppp0GTbWzCqN:8Grw2dXVkqc1qL6ScnPcMUS9Jm0r

Score

10^/10

darkgate silhouettess stealer

Malware Config

Extracted

Family

darkgate

Botnet

Silhouettess

194.87.252.74

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
jADdTSrQ
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
Silhouettess

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 5 IoCs

resource	yara_rule
behavioral2/memory/4444-1-0x0000000000400000-0x0000000000477000-memory.dmp	family_darkgate_v6
behavioral2/memory/4444-0-0x0000000000400000-0x0000000000477000-memory.dmp	family_darkgate_v6
behavioral2/memory/4444-3-0x0000000000400000-0x0000000000477000-memory.dmp	family_darkgate_v6
behavioral2/memory/4444-2-0x0000000000400000-0x0000000000477000-memory.dmp	family_darkgate_v6
behavioral2/memory/4444-7-0x0000000000400000-0x0000000000477000-memory.dmp	family_darkgate_v6

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe
4444	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4168	WMIC.exe
Token: SeSecurityPrivilege	4168	WMIC.exe
Token: SeTakeOwnershipPrivilege	4168	WMIC.exe
Token: SeLoadDriverPrivilege	4168	WMIC.exe
Token: SeSystemProfilePrivilege	4168	WMIC.exe
Token: SeSystemtimePrivilege	4168	WMIC.exe
Token: SeProfSingleProcessPrivilege	4168	WMIC.exe
Token: SeIncBasePriorityPrivilege	4168	WMIC.exe
Token: SeCreatePagefilePrivilege	4168	WMIC.exe
Token: SeBackupPrivilege	4168	WMIC.exe
Token: SeRestorePrivilege	4168	WMIC.exe
Token: SeShutdownPrivilege	4168	WMIC.exe
Token: SeDebugPrivilege	4168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4168	WMIC.exe
Token: SeRemoteShutdownPrivilege	4168	WMIC.exe
Token: SeUndockPrivilege	4168	WMIC.exe
Token: SeManageVolumePrivilege	4168	WMIC.exe
Token: 33	4168	WMIC.exe
Token: 34	4168	WMIC.exe
Token: 35	4168	WMIC.exe
Token: 36	4168	WMIC.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 2408 wrote to memory of 4444	2408	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	82
PID 4444 wrote to memory of 1176	4444	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	83
PID 4444 wrote to memory of 1176	4444	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	83
PID 4444 wrote to memory of 1176	4444	432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe	83
PID 1176 wrote to memory of 4168	1176	cmd.exe	85
PID 1176 wrote to memory of 4168	1176	cmd.exe	85
PID 1176 wrote to memory of 4168	1176	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe
"C:\Users\Admin\AppData\Local\Temp\432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe
  "C:\Users\Admin\AppData\Local\Temp\432c4e359a5928b10f8ef9d00228d8675e7bcb03033c8ac6183a105e407f99b9.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4444
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\edhhhcg\ckchcgb
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edhhhcg\ckchcgb

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
memory/4444-1-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4444-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4444-3-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4444-2-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4444-7-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download