General

  • Target

    ab3c640841540414d0583e744693da75.bin

  • Size

    2.0MB

  • MD5

    8011343cc649382106135122f44e9b9a

  • SHA1

    7219ad6b71e3bc43c97f65ba219f859906902dae

  • SHA256

    c6a562b283c50ec4bf0a5a6bdcfb4e8449c2c9b4c0b6efe4a3dcf40f5c25a45e

  • SHA512

    2463b1ec0e5b4c80841fd0577d1788198138d50976da7e821052cd58c8edf49b9e424f8bc0e4dbd4a8972cb270cfd48c554cae69b1aab4d9f66038fbb06f1c15

  • SSDEEP

    49152:XPZsAT1rMN+nlpuLdg3lQw+nWq3epcLFWcb:RsAMNeledglpMW4Jb

Score
10/10

Malware Config

Extracted

Family

darkgate

Version



C2

http://sanibroadbandcommunicton.duckdns.org

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    5864

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    true

  • crypto_key

    LAbQdWWsbybjAY

  • internal_mutex

    bbcAde

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    10

  • rootkit

    false

  • startup_persistence

    false

Signatures

  • Darkgate family
  • Detect DarkGate stealer 1 IoCs
  • Unsigned PE 3 IoCs

    Checks for missing Authenticode signature.

Files

  • ab3c640841540414d0583e744693da75.bin
    .zip

    Password: infected

  • 933fbda1ca7c4a52adbb48d038c8ba5ed5ee411d1096b2222ca383ca6d96a6bc.zip
    .zip

    Password: infected

  • apk/cyberRat/Port 7262 sample build/Google News.apk
    .jar
  • apk/cyberRat/Port 7262 sample build/index.html
    .html
  • apk/cyberRat/index.html
    .html
  • exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
  • exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
    .vbs
  • exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
  • exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.dll
    .exe windows:5 windows x86 arch:x86

    Password: infected

    6ae531f3439aee07e850dbb1ac7115a4


    Code Sign

    Headers

    Imports

    Sections

  • exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
    .dll windows:4 windows x86 arch:x86

    Password: infected


    Headers

    Exports

    Sections

  • exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
    .exe windows:4 windows x86 arch:x86

    Password: infected

    db91b113be7e07e4ea0768c3ae347cd3


    Code Sign

    Headers

    Imports

    Sections

  • exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
  • exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/update.zip
    .zip

    Password: infected

  • libssp-0.dll
    .dll windows:4 windows x86 arch:x86

    Password: infected


    Headers

    Exports

    Sections

  • pidgin.exe
    .exe windows:4 windows x86 arch:x86

    Password: infected

    db91b113be7e07e4ea0768c3ae347cd3


    Code Sign

    Headers

    Imports

    Sections

  • sqlite3.dll
  • exe/non crypted/Darkgate 5864 port sample not startup/index.html
    .html
  • exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
    .exe windows:4 windows x86 arch:x86

    Password: infected


    Headers

    Sections

  • exe/non crypted/index.html
    .html