Overview
overview
10Static
static
10apk/cyberR...ws.jar
windows7-x64
1apk/cyberR...ws.jar
windows10-2004-x64
1apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
3apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
3exe/crypte...te.bat
windows7-x64
10exe/crypte...te.bat
windows10-2004-x64
10exe/crypte...er.vbs
windows7-x64
10exe/crypte...er.vbs
windows10-2004-x64
10exe/crypte...-0.dll
windows7-x64
1exe/crypte...-0.dll
windows10-2004-x64
1exe/crypte...e3.exe
windows7-x64
3exe/crypte...e3.exe
windows10-2004-x64
3exe/crypte...-0.dll
windows7-x64
3exe/crypte...-0.dll
windows10-2004-x64
3exe/crypte...in.exe
windows7-x64
10exe/crypte...in.exe
windows10-2004-x64
10exe/crypte...e3.dll
windows7-x64
1exe/crypte...e3.dll
windows10-2004-x64
1libssp-0.dll
windows7-x64
3libssp-0.dll
windows10-2004-x64
3pidgin.exe
windows7-x64
10pidgin.exe
windows10-2004-x64
10sqlite3.dll
windows7-x64
1sqlite3.dll
windows10-2004-x64
1exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3exe/non cr...ed.exe
windows7-x64
10exe/non cr...ed.exe
windows10-2004-x64
10exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 01:51
Behavioral task
behavioral1
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
apk/cyberRat/index.html
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
apk/cyberRat/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
libssp-0.dll
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
pidgin.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
sqlite3.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
exe/non crypted/index.html
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
exe/non crypted/index.html
Resource
win10v2004-20240802-en
General
-
Target
pidgin.exe
-
Size
108KB
-
MD5
c283b2379ea584aab52abee0844b02a0
-
SHA1
903f9c7dcadf578637d604be681588fffec90e9b
-
SHA256
8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
-
SHA512
a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
-
SSDEEP
1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm
Malware Config
Extracted
darkgate
uPtZ
http://sanibroadbandcommunicton.duckdns.org
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
5864
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
true
-
crypter_raw_stub
false
-
crypto_key
qwNPPzrRTNHogf
-
internal_mutex
hykYbY
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
1
-
rootkit
false
-
startup_persistence
true
Signatures
-
Detect DarkGate stealer 14 IoCs
Processes:
resource yara_rule behavioral24/memory/1412-3-0x0000000002C60000-0x0000000002D55000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-8-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-11-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-14-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1412-13-0x0000000002C60000-0x0000000002D55000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-9-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-29-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-30-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-34-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-33-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-31-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-28-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-36-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/1132-40-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 -
Blocklisted process makes network request 41 IoCs
Processes:
cmd.exeflow pid process 2 1132 cmd.exe 3 1132 cmd.exe 28 1132 cmd.exe 30 1132 cmd.exe 31 1132 cmd.exe 37 1132 cmd.exe 42 1132 cmd.exe 43 1132 cmd.exe 44 1132 cmd.exe 53 1132 cmd.exe 59 1132 cmd.exe 60 1132 cmd.exe 61 1132 cmd.exe 62 1132 cmd.exe 63 1132 cmd.exe 64 1132 cmd.exe 65 1132 cmd.exe 71 1132 cmd.exe 72 1132 cmd.exe 75 1132 cmd.exe 76 1132 cmd.exe 77 1132 cmd.exe 78 1132 cmd.exe 80 1132 cmd.exe 81 1132 cmd.exe 82 1132 cmd.exe 85 1132 cmd.exe 96 1132 cmd.exe 98 1132 cmd.exe 99 1132 cmd.exe 100 1132 cmd.exe 101 1132 cmd.exe 102 1132 cmd.exe 104 1132 cmd.exe 106 1132 cmd.exe 107 1132 cmd.exe 108 1132 cmd.exe 109 1132 cmd.exe 110 1132 cmd.exe 111 1132 cmd.exe 112 1132 cmd.exe -
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbbdcaf.lnk cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pidgin.exedescription pid process target process PID 1412 set thread context of 1132 1412 pidgin.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pidgin.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pidgin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pidgin.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pidgin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pidgin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
pidgin.execmd.exepid process 1412 pidgin.exe 1412 pidgin.exe 1132 cmd.exe 1132 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cmd.exepid process 1132 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
pidgin.exedescription pid process target process PID 1412 wrote to memory of 60 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 60 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 60 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 1132 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 1132 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 1132 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 1132 1412 pidgin.exe cmd.exe PID 1412 wrote to memory of 1132 1412 pidgin.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pidgin.exe"C:\Users\Admin\AppData\Local\Temp\pidgin.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.execmd.exe2⤵PID:60
-
C:\Windows\SysWOW64\cmd.execmd.exe2⤵
- Blocklisted process makes network request
- Drops startup file
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5787b5ee0c7fa8d22d12f3587ddb58af6
SHA16dc040f11b3658b2c30bb6ddd9848b351281ef58
SHA256c091a4dded8a5edcbe88773bb3be8faf5a9ac99a4c58a1d39fe07958d035653a
SHA5128b4ab4b5f8de8f8e4833288d966457710e91172c12b3e100efc9e9261719b1a8420ee2800b7eb28b77fe0e71328afed345590b44bf6ed9b5b85dc13a0238eb85
-
Filesize
823B
MD51d67fd4099d1f565501400a140618ea6
SHA1fed6ae4e2270d61a018f09a8ab536b9cf9b50f62
SHA25645e6fc87eff0c8fb4301e72c9bcf24b4ad48898e15f8840fe1af1d50a3fa6e72
SHA5129f95c724c3be88a734ab66fb2f1edc9c3107810b04d29117a21dc1689a9f208a67c0f02db5bef2e6921c40577fea58b134e05b5515478687025457ee366b189b
-
Filesize
88KB
MD51f521e8b258d2b09f66fb8c940452b72
SHA17d669fe4108d40ed431a6728a27a2efc5c153bd0
SHA2567786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462
SHA51261058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3
-
Filesize
108KB
MD5c283b2379ea584aab52abee0844b02a0
SHA1903f9c7dcadf578637d604be681588fffec90e9b
SHA2568292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
SHA512a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
-
Filesize
488KB
MD505ec7e9dee5c43b659d7843f6eb462a2
SHA11d37a930765e282b75b1d129258e21f683379245
SHA256b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4
SHA512fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6