General

  • Target

    6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8

  • Size

    3.5MB

  • Sample

    240818-k6qbgswglc

  • MD5

    0bd370eef60a45fd61634df249b64b91

  • SHA1

    6758f0170b8227ad373ec35e12e6f300f2f27b42

  • SHA256

    6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8

  • SHA512

    b06159c59477dba32c69c53194e832ce2335d038761559328cb04f7f5286d4800fd68f9ac1d61f0063cb138e2e191876e13ab5ee0d03ca9bf44b70e086140f52

  • SSDEEP

    49152:XwREDDMeGGezwQbVqL+ecrCkwYw4z0g3QjfkRiGqUydHeMxWrP+beY7UY714:XwREBGGezfI2hwYDzJQ7UqzdMwZgN

Malware Config

Extracted

Family

darkgate

Botnet

seeksoul

C2

version6dkgate.duckdns.org

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    5864

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    hOTwjapB

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    seeksoul

Targets

    • Target

      6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8

    • Size

      3.5MB

    • MD5

      0bd370eef60a45fd61634df249b64b91

    • SHA1

      6758f0170b8227ad373ec35e12e6f300f2f27b42

    • SHA256

      6bef7c9809b35c7a2111872544e68aa29b8323f5936b6b1122c5f4138cf6e1e8

    • SHA512

      b06159c59477dba32c69c53194e832ce2335d038761559328cb04f7f5286d4800fd68f9ac1d61f0063cb138e2e191876e13ab5ee0d03ca9bf44b70e086140f52

    • SSDEEP

      49152:XwREDDMeGGezwQbVqL+ecrCkwYw4z0g3QjfkRiGqUydHeMxWrP+beY7UY714:XwREBGGezfI2hwYDzJQ7UqzdMwZgN

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

MITRE ATT&CK Enterprise v15

Tasks