darkgate | c6a562b283c50ec4bf0a5a6bdcfb4e8449c2c9b4c0b6efe4a3dcf40f5c25a45e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pidgin.exe
Size

108KB
MD5

c283b2379ea584aab52abee0844b02a0
SHA1

903f9c7dcadf578637d604be681588fffec90e9b
SHA256

8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
SHA512

a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
SSDEEP

1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm

Score

10^/10

darkgate discovery stealer

Malware Config

Extracted

Family

darkgate

Version

uPtZ

http://sanibroadbandcommunicton.duckdns.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
5864
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
true
crypter_raw_stub
false
crypto_key
qwNPPzrRTNHogf
internal_mutex
hykYbY
minimum_disk
100
minimum_ram
4096
ping_interval
1
rootkit
false
startup_persistence
true

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 14 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2112-2-0x0000000003920000-0x0000000003A15000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-9-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-13-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/2112-12-0x0000000003920000-0x0000000003A15000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-8-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-7-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-29-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-30-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-33-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-32-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-28-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-27-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-36-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/3352-39-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6

Blocklisted process makes network request 37 IoCs

Processes:

cmd.exe

flow	pid	process
25	3352	cmd.exe
26	3352	cmd.exe
28	3352	cmd.exe
29	3352	cmd.exe
32	3352	cmd.exe
37	3352	cmd.exe
38	3352	cmd.exe
39	3352	cmd.exe
49	3352	cmd.exe
54	3352	cmd.exe
55	3352	cmd.exe
56	3352	cmd.exe
57	3352	cmd.exe
58	3352	cmd.exe
59	3352	cmd.exe
60	3352	cmd.exe
66	3352	cmd.exe
69	3352	cmd.exe
70	3352	cmd.exe
71	3352	cmd.exe
72	3352	cmd.exe
74	3352	cmd.exe
75	3352	cmd.exe
78	3352	cmd.exe
81	3352	cmd.exe
93	3352	cmd.exe
94	3352	cmd.exe
95	3352	cmd.exe
96	3352	cmd.exe
97	3352	cmd.exe
99	3352	cmd.exe
100	3352	cmd.exe
101	3352	cmd.exe
103	3352	cmd.exe
104	3352	cmd.exe
105	3352	cmd.exe
106	3352	cmd.exe

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfakaec.lnk cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pidgin.exe

description pid process target process

PID 2112 set thread context of 3352 2112 pidgin.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfakaec.lnk	cmd.exe

description	pid	process	target process
PID 2112 set thread context of 3352	2112	pidgin.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pidgin.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidgin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pidgin.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pidgin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pidgin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pidgin.execmd.exe

pid process

2112 pidgin.exe
2112 pidgin.exe
3352 cmd.exe
3352 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

3352 cmd.exe

pid	process
2112	pidgin.exe
2112	pidgin.exe
3352	cmd.exe
3352	cmd.exe

pid	process
3352	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

pidgin.exe

description	pid	process	target process
PID 2112 wrote to memory of 3352	2112	pidgin.exe	cmd.exe
PID 2112 wrote to memory of 3352	2112	pidgin.exe	cmd.exe
PID 2112 wrote to memory of 3352	2112	pidgin.exe	cmd.exe
PID 2112 wrote to memory of 3352	2112	pidgin.exe	cmd.exe
PID 2112 wrote to memory of 3352	2112	pidgin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pidgin.exe
"C:\Users\Admin\AppData\Local\Temp\pidgin.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd.exe
2⤵
- Blocklisted process makes network request
- Drops startup file
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cfhabgd\edhdaak\eecbacb
Filesize
163B

MD5
3bb66d0681e9d58d52d0c7eea7634c1e

SHA1
ee4d26e3cd50886f2a4f6094449f457850da553b

SHA256
4b5495c1feceaa753b32979522e0be25b2e0a11d408ab34e062783192f11e051

SHA512
334f52c4fed8de5cecf681725cfb251a74a979866226fc13b7c33027b0915c2afc58376085f560a1edcc2369df72e3c6afc51c11b00307c92ea2ec66215c2a42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfakaec.lnk
Filesize
823B

MD5
afca655ecd55ab3551dafe65940f993b

SHA1
074aac81ec46c04a3dc45dc9e6813bedd5477eee

SHA256
00267c000fed8dc522f3dd8aec688822968a909a515ad03c605f1041bada25d1

SHA512
b6331223b03f6a0cf6ae5bceb4e3972e804d2f5680e359d9b8d65cda69e7c1e78368f6cb47888fa464c5c49420fe1c7b083e31c8b9025720126b61e9c5eb3b86

Download Submit
C:\temp\libssp-0.dll
Filesize
88KB

MD5
1f521e8b258d2b09f66fb8c940452b72

SHA1
7d669fe4108d40ed431a6728a27a2efc5c153bd0

SHA256
7786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462

SHA512
61058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3

Download Submit
C:\temp\pidgin.exe
Filesize
108KB

MD5
c283b2379ea584aab52abee0844b02a0

SHA1
903f9c7dcadf578637d604be681588fffec90e9b

SHA256
8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2

SHA512
a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157

Download Submit
C:\temp\sqlite3.dll
Filesize
488KB

MD5
05ec7e9dee5c43b659d7843f6eb462a2

SHA1
1d37a930765e282b75b1d129258e21f683379245

SHA256
b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4

SHA512
fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6

Download Submit
memory/2112-12-0x0000000003920000-0x0000000003A15000-memory.dmp

Filesize
980KB

Download
memory/2112-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-2-0x0000000003920000-0x0000000003A15000-memory.dmp

Filesize
980KB

Download
memory/2112-10-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/2112-1-0x0000000003630000-0x0000000003820000-memory.dmp

Filesize
1.9MB

Download
memory/3352-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-13-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-32-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-8-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-36-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3352-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download