Overview

overview

10

Static

static

1

27062024_0...0a.vbs

windows7-x64

10

27062024_0...0a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27062024_0133_26-June-8e102d0a.vbs

  • Size

    2.6MB

  • MD5

    a2d12fd1350512b0da9ee5bbb1b57bd3

  • SHA1

    24f93f3eee12401b4801f2b662f7693d4ced9e9a

  • SHA256

    5b2eab80be6a4a92ed7ef64f347abe1c2bd5383d9abae8c29ee020486edcc033

  • SHA512

    a24d3ac3ce1525c7d8d1153e16549a0dcff6fe49ddc01edb72b38708d1dc79d720a89814dd99768a54f238367b27d0e4b1ce5a967449039e39cf638d6548165c

  • SSDEEP

    49152:NjjjjSjjjVjwfakCSzvQk9xezEwlwJwY+VewJw/V5Cp+jk8ijjjjpjPdHBwXiWF:h

Score
10/10
darkgatetrafikk897612561executionstealer

Malware Config

Extracted

Family

darkgate

Botnet

trafikk897612561

C2

91.222.173.170

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    GDrdcpJy

  • minimum_disk

    100

  • minimum_ram

    4095

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    trafikk897612561

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27062024_0133_26-June-8e102d0a.vbs"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1044
  • C:\Windows\system32\wbem\wmic.exe
    wmic process call create "cmd /c C:\Default\Autoit3.exe C:\Default\script.a3x"
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    PID:2724
  • C:\Windows\system32\cmd.exe
    cmd /c C:\Default\Autoit3.exe C:\Default\script.a3x
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Default\Autoit3.exe
      C:\Default\Autoit3.exe C:\Default\script.a3x
      2⤵
      • Executes dropped EXE
      • Command and Scripting Interpreter: AutoIT
      • Checks processor information in registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2744
      • \??\c:\windows\SysWOW64\cmd.exe
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\acdeeha\dfccakk
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ComputerSystem get domain
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Default\Autoit3.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Default\index.zip
    Filesize

    767KB

    MD5

    0b4da0c7a95252fae5a927a841c91901

    SHA1

    84095a4dbeef6a67c9b8bcf8796415058fd6d780

    SHA256

    269fe293247b93422e8882f6a49d39064054b10dbb00ab4d10ec347d8d05f861

    SHA512

    f603a4053d614af58c9adbea161806e4d3db223a21c8e4f83b6ba144441cdde05dc89f8167c26e277262914830fffadf6c89247a6ff9f8357ab964b68b5a24fe

    Download Submit

  • C:\Default\script.a3x
    Filesize

    546KB

    MD5

    3c381689551d564df57b6f081a8b5742

    SHA1

    e0f2a50dc6ff45949aec6b61c589cfad5728a355

    SHA256

    83f1fab236357817270f995a6e3e32f90661dad6d625ad1e1f16b06c248da1d1

    SHA512

    30fe922119222aecbbb72ecd7ef7e5dc09031832ad00bb6bfabb8d6150d273495b626f9efd1562d0f866f6ba957b243a0a8b10c7d7ca2698ab5d45d434ea6186

    Download Submit

  • C:\ProgramData\acdeeha\dfccakk
    Filesize

    54B

    MD5

    c8bbad190eaaa9755c8dfb1573984d81

    SHA1

    17ad91294403223fde66f687450545a2bad72af5

    SHA256

    7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

    SHA512

    05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

    Download Submit

  • memory/1044-9-0x00000000020B0000-0x00000000020B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-37-0x00000000007A0000-0x0000000000BA0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2744-38-0x0000000003080000-0x0000000003408000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2744-42-0x0000000003080000-0x0000000003408000-memory.dmp

    Filesize

    3.5MB

    Download