Overview

overview

10

Static

static

10

0cdf890554...5e.exe

windows7-x64

10

0cdf890554...5e.exe

windows10-2004-x64

10

Resubmissions

12-08-2024 12:54

240812-p49pka1hqp 10

12-08-2024 11:14

240812-nb7ttssgjb 10

26-06-2024 06:16

240626-g1gwdazbqd 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0cdf89055417947a9ad53cf38eb0f75e.exe

  • Size

    158KB

  • Sample

    240626-g1gwdazbqd

  • MD5

    0cdf89055417947a9ad53cf38eb0f75e

  • SHA1

    a6d845cd643409201b603f3918c4c45b9afb8111

  • SHA256

    3b949e360f85236eb66eafa4eeda2ffffb0fb01562767550e75dfb4bf09f0eaf

  • SHA512

    8a2523617d4f3c68bd76c9c6f9da358d933b5e71312e25c8ce3a095c3225ba2abea0873ba0c895dea7c374346d3cda5a030557a895b990f1d7a623adb2d2aa20

  • SSDEEP

    3072:hQH5iOMxGNftsLz4oPFKUQgC6OEYkUjUMNW82QZRaop5:hQNMxGNVwtB7OEAoWRa

Score
10/10
darkgatestealc2newn2newn2new3discoveryexecutionspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

3

C2

http://93.123.39.132

Attributes
  • url_path

    /129edec4272dc2c8.php

Extracted

Family

darkgate

Botnet

2newn2newn2new

C2

applylawofattraction.com

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    vhOtpdAB

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    2newn2newn2new

Targets

    • Target

      0cdf89055417947a9ad53cf38eb0f75e.exe

    • Size

      158KB

    • MD5

      0cdf89055417947a9ad53cf38eb0f75e

    • SHA1

      a6d845cd643409201b603f3918c4c45b9afb8111

    • SHA256

      3b949e360f85236eb66eafa4eeda2ffffb0fb01562767550e75dfb4bf09f0eaf

    • SHA512

      8a2523617d4f3c68bd76c9c6f9da358d933b5e71312e25c8ce3a095c3225ba2abea0873ba0c895dea7c374346d3cda5a030557a895b990f1d7a623adb2d2aa20

    • SSDEEP

      3072:hQH5iOMxGNftsLz4oPFKUQgC6OEYkUjUMNW82QZRaop5:hQNMxGNVwtB7OEAoWRa

    Score
    10/10
    stealc3discoveryexecutionspywarestealerdarkgate2newn2newn2new

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks