darkgate | 933fbda1ca7c4a52adbb48d038c8ba5ed5ee411d1096b2222ca383ca6d96a6bc

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pidgin.exe
Size

108KB
MD5

c283b2379ea584aab52abee0844b02a0
SHA1

903f9c7dcadf578637d604be681588fffec90e9b
SHA256

8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
SHA512

a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
SSDEEP

1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm

Score

10^/10

darkgate discovery stealer

Malware Config

Extracted

Family

darkgate

Version

uPtZ

http://sanibroadbandcommunicton.duckdns.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
5864
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
true
crypter_raw_stub
false
crypto_key
qwNPPzrRTNHogf
internal_mutex
hykYbY
minimum_disk
100
minimum_ram
4096
ping_interval
1
rootkit
false
startup_persistence
true

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 7 IoCs

Processes:

resource	yara_rule
behavioral24/memory/556-1-0x0000000003000000-0x00000000030F5000-memory.dmp	family_darkgate_v6
behavioral24/memory/2500-12-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/556-11-0x0000000003000000-0x00000000030F5000-memory.dmp	family_darkgate_v6
behavioral24/memory/2500-10-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/2500-7-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/2500-6-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6
behavioral24/memory/2500-18-0x0000000000400000-0x0000000000481000-memory.dmp	family_darkgate_v6

Suspicious use of SetThreadContext 1 IoCs

Processes:

pidgin.exe

description pid process target process

PID 556 set thread context of 2500 556 pidgin.exe cmd.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

pidgin.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pidgin.exe

description	pid	process	target process
PID 556 set thread context of 2500	556	pidgin.exe	cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidgin.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exepidgin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pidgin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	pidgin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

pidgin.execmd.exe

pid process

556 pidgin.exe
556 pidgin.exe
2500 cmd.exe
2500 cmd.exe

pid	process
556	pidgin.exe
556	pidgin.exe
2500	cmd.exe
2500	cmd.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

pidgin.exe

description	pid	process	target process
PID 556 wrote to memory of 2500	556	pidgin.exe	cmd.exe
PID 556 wrote to memory of 2500	556	pidgin.exe	cmd.exe
PID 556 wrote to memory of 2500	556	pidgin.exe	cmd.exe
PID 556 wrote to memory of 2500	556	pidgin.exe	cmd.exe
PID 556 wrote to memory of 2500	556	pidgin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pidgin.exe
"C:\Users\Admin\AppData\Local\Temp\pidgin.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd.exe
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cfhabgd\edhdaak\eecbacb

Filesize
163B

MD5
a040cdb5f95ac97a784e02674d33d6ae

SHA1
fdc3e9604d07b6b30bd6bbf07b49fe02389fba83

SHA256
bb108610ad797b19b0fb2051362741920f6d7f1a327fde089f9a63d9850c093d

SHA512
3171a00f4b936114a7a5595240b0de9d6263617cf49ed8bf591a2dc0f1ee73ded600b9bf5425743f1f87b80c7657eb2f4d9ff8753076cede51ea5dbb6e0a48f5

Download Submit
C:\temp\libssp-0.dll

Filesize
88KB

MD5
1f521e8b258d2b09f66fb8c940452b72

SHA1
7d669fe4108d40ed431a6728a27a2efc5c153bd0

SHA256
7786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462

SHA512
61058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3

Download Submit
C:\temp\pidgin.exe

Filesize
108KB

MD5
c283b2379ea584aab52abee0844b02a0

SHA1
903f9c7dcadf578637d604be681588fffec90e9b

SHA256
8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2

SHA512
a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157

Download Submit
C:\temp\sqlite3.dll

Filesize
488KB

MD5
05ec7e9dee5c43b659d7843f6eb462a2

SHA1
1d37a930765e282b75b1d129258e21f683379245

SHA256
b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4

SHA512
fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6

Download Submit
memory/556-11-0x0000000003000000-0x00000000030F5000-memory.dmp

Filesize
980KB

Download
memory/556-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/556-8-0x0000000001000000-0x000000000101C000-memory.dmp

Filesize
112KB

Download
memory/556-1-0x0000000003000000-0x00000000030F5000-memory.dmp

Filesize
980KB

Download
memory/556-0-0x0000000002D10000-0x0000000002F00000-memory.dmp

Filesize
1.9MB

Download
memory/2500-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2500-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2500-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2500-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2500-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download