darkgate | 933fbda1ca7c4a52adbb48d038c8ba5ed5ee411d1096b2222ca383ca6d96a6bc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pidgin.exe
Size

108KB
MD5

c283b2379ea584aab52abee0844b02a0
SHA1

903f9c7dcadf578637d604be681588fffec90e9b
SHA256

8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
SHA512

a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
SSDEEP

1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm

Score

10^/10

darkgate discovery stealer

Malware Config

Extracted

Family

darkgate

Version

uPtZ

http://sanibroadbandcommunicton.duckdns.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
5864
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
true
crypter_raw_stub
false
crypto_key
qwNPPzrRTNHogf
internal_mutex
hykYbY
minimum_disk
100
minimum_ram
4096
ping_interval
1
rootkit
false
startup_persistence
true

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 14 IoCs

Processes:

resource	yara_rule
behavioral24/memory/1412-3-0x0000000002C60000-0x0000000002D55000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-8-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-11-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-14-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1412-13-0x0000000002C60000-0x0000000002D55000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-9-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-29-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-30-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-34-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-33-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-31-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-28-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-36-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/1132-40-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 41 IoCs

Processes:

cmd.exe

flow	pid	process
2	1132	cmd.exe
3	1132	cmd.exe
28	1132	cmd.exe
30	1132	cmd.exe
31	1132	cmd.exe
37	1132	cmd.exe
42	1132	cmd.exe
43	1132	cmd.exe
44	1132	cmd.exe
53	1132	cmd.exe
59	1132	cmd.exe
60	1132	cmd.exe
61	1132	cmd.exe
62	1132	cmd.exe
63	1132	cmd.exe
64	1132	cmd.exe
65	1132	cmd.exe
71	1132	cmd.exe
72	1132	cmd.exe
75	1132	cmd.exe
76	1132	cmd.exe
77	1132	cmd.exe
78	1132	cmd.exe
80	1132	cmd.exe
81	1132	cmd.exe
82	1132	cmd.exe
85	1132	cmd.exe
96	1132	cmd.exe
98	1132	cmd.exe
99	1132	cmd.exe
100	1132	cmd.exe
101	1132	cmd.exe
102	1132	cmd.exe
104	1132	cmd.exe
106	1132	cmd.exe
107	1132	cmd.exe
108	1132	cmd.exe
109	1132	cmd.exe
110	1132	cmd.exe
111	1132	cmd.exe
112	1132	cmd.exe

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbbdcaf.lnk cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pidgin.exe

description pid process target process

PID 1412 set thread context of 1132 1412 pidgin.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbbdcaf.lnk	cmd.exe

description	pid	process	target process
PID 1412 set thread context of 1132	1412	pidgin.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pidgin.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidgin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pidgin.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pidgin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pidgin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pidgin.execmd.exe

pid process

1412 pidgin.exe
1412 pidgin.exe
1132 cmd.exe
1132 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

1132 cmd.exe

pid	process
1412	pidgin.exe
1412	pidgin.exe
1132	cmd.exe
1132	cmd.exe

pid	process
1132	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

pidgin.exe

description	pid	process	target process
PID 1412 wrote to memory of 60	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 60	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 60	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 1132	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 1132	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 1132	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 1132	1412	pidgin.exe	cmd.exe
PID 1412 wrote to memory of 1132	1412	pidgin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pidgin.exe
"C:\Users\Admin\AppData\Local\Temp\pidgin.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd.exe
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd.exe
2⤵
- Blocklisted process makes network request
- Drops startup file
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aghdfbb\agebbdb\dbcfhhg
Filesize
163B

MD5
787b5ee0c7fa8d22d12f3587ddb58af6

SHA1
6dc040f11b3658b2c30bb6ddd9848b351281ef58

SHA256
c091a4dded8a5edcbe88773bb3be8faf5a9ac99a4c58a1d39fe07958d035653a

SHA512
8b4ab4b5f8de8f8e4833288d966457710e91172c12b3e100efc9e9261719b1a8420ee2800b7eb28b77fe0e71328afed345590b44bf6ed9b5b85dc13a0238eb85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbbdcaf.lnk
Filesize
823B

MD5
1d67fd4099d1f565501400a140618ea6

SHA1
fed6ae4e2270d61a018f09a8ab536b9cf9b50f62

SHA256
45e6fc87eff0c8fb4301e72c9bcf24b4ad48898e15f8840fe1af1d50a3fa6e72

SHA512
9f95c724c3be88a734ab66fb2f1edc9c3107810b04d29117a21dc1689a9f208a67c0f02db5bef2e6921c40577fea58b134e05b5515478687025457ee366b189b

Download Submit
C:\temp\libssp-0.dll
Filesize
88KB

MD5
1f521e8b258d2b09f66fb8c940452b72

SHA1
7d669fe4108d40ed431a6728a27a2efc5c153bd0

SHA256
7786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462

SHA512
61058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3

Download Submit
C:\temp\pidgin.exe
Filesize
108KB

MD5
c283b2379ea584aab52abee0844b02a0

SHA1
903f9c7dcadf578637d604be681588fffec90e9b

SHA256
8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2

SHA512
a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157

Download Submit
C:\temp\sqlite3.dll
Filesize
488KB

MD5
05ec7e9dee5c43b659d7843f6eb462a2

SHA1
1d37a930765e282b75b1d129258e21f683379245

SHA256
b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4

SHA512
fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6

Download Submit
memory/1132-11-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-31-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-36-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-14-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-34-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1412-3-0x0000000002C60000-0x0000000002D55000-memory.dmp

Filesize
980KB

Download
memory/1412-12-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/1412-0-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/1412-10-0x0000000000BF0000-0x0000000000C0C000-memory.dmp

Filesize
112KB

Download
memory/1412-2-0x0000000002970000-0x0000000002B60000-memory.dmp

Filesize
1.9MB

Download
memory/1412-13-0x0000000002C60000-0x0000000002D55000-memory.dmp

Filesize
980KB

Download