Overview

overview

10

Static

static

1

26-June-70204bf8.vbs

windows7-x64

10

26-June-70204bf8.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26-June-70204bf8.vbs

  • Size

    2.7MB

  • MD5

    5a2e37b9f2732bbf0ca46e771e930a56

  • SHA1

    e6b4a5373c88f1d98d232380d29cedb6fc3124e9

  • SHA256

    9c0e3ceb7cccfb3c91e7b7f0e34ed8870fb9818d916f39c18c8501a4752e6401

  • SHA512

    19fb487a91bf8c55fbf54b187af3bdae5c4c5d812265601231118d17570574bd07a02e1f36592def5a52b37231f2a993b2b5041b6738ab836da0de520c32269f

  • SSDEEP

    49152:nwww8w0jjjGQx2g21XYYajjjKowa4hFpnwpwjRwSwDuBjjjRwfwBiNm:k

Score
10/10
darkgatetrafikk897612561executionstealer

Malware Config

Extracted

Family

darkgate

Botnet

trafikk897612561

C2

91.222.173.170

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    GDrdcpJy

  • minimum_disk

    100

  • minimum_ram

    4095

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    trafikk897612561

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26-June-70204bf8.vbs"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2236
  • C:\Windows\system32\wbem\wmic.exe
    wmic process call create "cmd /c C:\Default\Autoit3.exe C:\Default\script.a3x"
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\system32\cmd.exe
    cmd /c C:\Default\Autoit3.exe C:\Default\script.a3x
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Default\Autoit3.exe
      C:\Default\Autoit3.exe C:\Default\script.a3x
      2⤵
      • Executes dropped EXE
      • Command and Scripting Interpreter: AutoIT
      • Checks processor information in registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2500
      • \??\c:\windows\SysWOW64\cmd.exe
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\gbheaah\headccd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ComputerSystem get domain
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Default\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Default\index.zip
    Filesize

    767KB

    MD5

    0b4da0c7a95252fae5a927a841c91901

    SHA1

    84095a4dbeef6a67c9b8bcf8796415058fd6d780

    SHA256

    269fe293247b93422e8882f6a49d39064054b10dbb00ab4d10ec347d8d05f861

    SHA512

    f603a4053d614af58c9adbea161806e4d3db223a21c8e4f83b6ba144441cdde05dc89f8167c26e277262914830fffadf6c89247a6ff9f8357ab964b68b5a24fe

    Download Submit

  • C:\Default\script.a3x
    Filesize

    546KB

    MD5

    3c381689551d564df57b6f081a8b5742

    SHA1

    e0f2a50dc6ff45949aec6b61c589cfad5728a355

    SHA256

    83f1fab236357817270f995a6e3e32f90661dad6d625ad1e1f16b06c248da1d1

    SHA512

    30fe922119222aecbbb72ecd7ef7e5dc09031832ad00bb6bfabb8d6150d273495b626f9efd1562d0f866f6ba957b243a0a8b10c7d7ca2698ab5d45d434ea6186

    Download Submit

  • C:\ProgramData\gbheaah\headccd
    Filesize

    54B

    MD5

    c8bbad190eaaa9755c8dfb1573984d81

    SHA1

    17ad91294403223fde66f687450545a2bad72af5

    SHA256

    7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

    SHA512

    05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

    Download Submit

  • memory/2236-9-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-38-0x0000000000850000-0x0000000000C50000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2500-39-0x0000000002F30000-0x00000000032B8000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2500-42-0x0000000002F30000-0x00000000032B8000-memory.dmp

    Filesize

    3.5MB

    Download