Overview

overview

10

Static

static

3

shellcode.exe

windows7-x64

10

shellcode.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shellcode.exe

  • Size

    146KB

  • MD5

    c3003964fbad244db448b96c95d57319

  • SHA1

    65026bbd3a65263e4da58c26e69c7576fd01d755

  • SHA256

    e12c720480be024f98d3a5ebb31445e16373da9bd7933fe4b9fa9ccd940e9c1d

  • SHA512

    7baf0bec4678184940d0a93c990aa6390b6ff379833706d62d51cd087284e1bc34ff047f9332baf7824fc14a0cc00830b9e815d09c9016b8edbb714d1b6a035c

  • SSDEEP

    3072:pBy3MmqwKvAiu6p08+l1nBtHEcq3Wn2D8IX3lqrpyPM:ny3MxwKNmxrn0Wn2D8InlqrpkM

Score
10/10
darkgatea1111stealer

Malware Config

Extracted

Family

darkgate

Botnet

A1111

C2

http://wilsoncallert.com

Attributes
  • alternative_c2_port

    8080

  • anti_analysis

    true

  • anti_debug

    true

  • anti_vm

    false

  • c2_port

    2351

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • crypto_key

    nSoLLNAEzUGGah

  • internal_mutex

    txtMut

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    A1111

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shellcode.exe
    "C:\Users\Admin\AppData\Local\Temp\shellcode.exe"
    1⤵
    • Checks processor information in registry
    PID:536
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2228
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/536-0-0x00000000001D0000-0x00000000001EB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/536-1-0x0000000000B10000-0x0000000000C05000-memory.dmp

      Filesize

      980KB

      Download

    • memory/536-2-0x00000000032F0000-0x00000000036B3000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/536-3-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/536-4-0x0000000000B10000-0x0000000000C05000-memory.dmp

      Filesize

      980KB

      Download

    • memory/536-5-0x00000000032F0000-0x00000000036B3000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2228-8-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-7-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-6-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-18-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-17-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-16-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-15-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-14-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-13-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2228-12-0x000001C7A4AB0000-0x000001C7A4AB1000-memory.dmp

      Filesize

      4KB

      Download