Overview

overview

10

Static

static

3

91cad120d2...a0.exe

windows7-x64

10

91cad120d2...a0.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    91cad120d25935177fa0b719c2ad17f692fe670b906ff2acb051d88c553acca0

  • Size

    2.1MB

  • Sample

    240717-ldf3savaqk

  • MD5

    d9f3d94487050486fc7e36fb436c4429

  • SHA1

    d94e38d51f9c0a9ce90d95cb386a611b51644d12

  • SHA256

    91cad120d25935177fa0b719c2ad17f692fe670b906ff2acb051d88c553acca0

  • SHA512

    d27da9a57a017383dfca8485c7c70652ea8a7544b40c9595b7f6b24186fc5c17b7b008283fdd5205ff872d8e043f1658c62871af24d0b51f6a7571d01c7503d8

  • SSDEEP

    49152:tk8BMMcyO4uzNJbIdNJbnwpIHLVRGH5ccLH1i:SasZ4uJJb6U6VRGH5h

Score
10/10
darkgategh0stexecutionstealer

Malware Config

Extracted

Family

darkgate

Botnet

Gh0st

C2

eventgrids.online

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    uPOkItJB

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    Gh0st

Targets

    • Target

      91cad120d25935177fa0b719c2ad17f692fe670b906ff2acb051d88c553acca0

    • Size

      2.1MB

    • MD5

      d9f3d94487050486fc7e36fb436c4429

    • SHA1

      d94e38d51f9c0a9ce90d95cb386a611b51644d12

    • SHA256

      91cad120d25935177fa0b719c2ad17f692fe670b906ff2acb051d88c553acca0

    • SHA512

      d27da9a57a017383dfca8485c7c70652ea8a7544b40c9595b7f6b24186fc5c17b7b008283fdd5205ff872d8e043f1658c62871af24d0b51f6a7571d01c7503d8

    • SSDEEP

      49152:tk8BMMcyO4uzNJbIdNJbnwpIHLVRGH5ccLH1i:SasZ4uJJb6U6VRGH5h

    Score
    10/10
    darkgategh0stexecutionstealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks