Overview

overview

10

Static

static

3

48860a4eb8...39.exe

windows7-x64

10

48860a4eb8...39.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939.zip

  • Size

    1.4MB

  • Sample

    240807-ewpz3svajg

  • MD5

    03c73e5752332706c38a29d744990352

  • SHA1

    9532bff6a26a37f1c3d6dbee92f6aaff659853c2

  • SHA256

    9c3c4a9c67ce010496bc641249b6e67a2e430c9813e1bb55d2970f843cf087ad

  • SHA512

    865161004deb47d3f11c6c1b00785e62bd62de00c5f8546f2e64f07139c3e2d449dc2b7429870ac078a78442efa13fd635e12d2d8f25a5427f25323ec75d7d0e

  • SSDEEP

    24576:QBKR2HYlOnrqKDynuFTwtTzyiMXUk2+ldmC8MphvJ+JHUo3MceDif70G1byVLtzi:QBjrqMybnyiMXUk53mCB+J0o3Mc1706N

Score
10/10
darkgategh0stdiscoveryexecutionstealer

Malware Config

Extracted

Family

darkgate

Botnet

Gh0st

C2

filetmoon.site

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    KaVpLvWD

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    Gh0st

Targets

    • Target

      48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939

    • Size

      2.1MB

    • MD5

      fc99ddf185aa553bf30c431cc897c903

    • SHA1

      72c3ae0ed953a4ed3a5d1d8e3957f530c952f48d

    • SHA256

      48860a4eb801109046a591d18809b1ff3e2b658f2a09c6fb36c4948cb88eb939

    • SHA512

      0be1916e9f0fa3ff2282bbfc23ac9c5f19c15c17f5e0e6aa68edea3db7b780c53f473d40292f0ed324596996572917dfe584cc2d989773c77ee489b643dd2e46

    • SSDEEP

      49152:Uk8BMMcyO6uzNJbIdNJbnwppkcWAta0PH1i:HasZ6uJJb6UJNa0

    Score
    10/10
    darkgategh0stdiscoveryexecutionstealer

    • DarkGate

      DarkGate is an infostealer written in C++.

      stealerdarkgate

    • Detect DarkGate stealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks