Overview
overview
10Static
static
10apk/cyberR...ws.jar
windows7-x64
1apk/cyberR...ws.jar
windows10-2004-x64
1apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
3apk/cyberR...x.html
windows7-x64
3apk/cyberR...x.html
windows10-2004-x64
1exe/crypte...te.bat
windows7-x64
10exe/crypte...te.bat
windows10-2004-x64
10exe/crypte...er.vbs
windows7-x64
10exe/crypte...er.vbs
windows10-2004-x64
10exe/crypte...-0.dll
windows7-x64
1exe/crypte...-0.dll
windows10-2004-x64
1exe/crypte...e3.exe
windows7-x64
3exe/crypte...e3.exe
windows10-2004-x64
3exe/crypte...-0.dll
windows7-x64
3exe/crypte...-0.dll
windows10-2004-x64
3exe/crypte...in.exe
windows7-x64
10exe/crypte...in.exe
windows10-2004-x64
10exe/crypte...e3.dll
windows7-x64
1exe/crypte...e3.dll
windows10-2004-x64
1libssp-0.dll
windows7-x64
3libssp-0.dll
windows10-2004-x64
3pidgin.exe
windows7-x64
10pidgin.exe
windows10-2004-x64
10sqlite3.dll
windows7-x64
1sqlite3.dll
windows10-2004-x64
1exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3exe/non cr...ed.exe
windows7-x64
10exe/non cr...ed.exe
windows10-2004-x64
10exe/non cr...x.html
windows7-x64
3exe/non cr...x.html
windows10-2004-x64
3Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 20:17
Behavioral task
behavioral1
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
apk/cyberRat/Port 7262 sample build/Google News.jar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
apk/cyberRat/Port 7262 sample build/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
apk/cyberRat/index.html
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
apk/cyberRat/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
libssp-0.dll
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
libssp-0.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
pidgin.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
pidgin.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
sqlite3.dll
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
sqlite3.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
exe/non crypted/index.html
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
exe/non crypted/index.html
Resource
win10v2004-20240802-en
General
-
Target
pidgin.exe
-
Size
108KB
-
MD5
c283b2379ea584aab52abee0844b02a0
-
SHA1
903f9c7dcadf578637d604be681588fffec90e9b
-
SHA256
8292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
-
SHA512
a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
-
SSDEEP
1536:dV7q+SakHLKZ9tCAxtXSB5TDW/3CEdbjYVl4NGGwWArUiqvBwy/kTkiw3ciwjm:dpHKeJCCtX8TDafkVl4sG10MLoPm
Malware Config
Extracted
darkgate
uPtZ
http://sanibroadbandcommunicton.duckdns.org
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
5864
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
true
-
crypter_raw_stub
false
-
crypto_key
qwNPPzrRTNHogf
-
internal_mutex
hykYbY
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
1
-
rootkit
false
-
startup_persistence
true
Signatures
-
Detect DarkGate stealer 7 IoCs
Processes:
resource yara_rule behavioral24/memory/556-1-0x0000000003000000-0x00000000030F5000-memory.dmp family_darkgate_v6 behavioral24/memory/2500-12-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/556-11-0x0000000003000000-0x00000000030F5000-memory.dmp family_darkgate_v6 behavioral24/memory/2500-10-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/2500-7-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/2500-6-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 behavioral24/memory/2500-18-0x0000000000400000-0x0000000000481000-memory.dmp family_darkgate_v6 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pidgin.exedescription pid process target process PID 556 set thread context of 2500 556 pidgin.exe cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pidgin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pidgin.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exepidgin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pidgin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pidgin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
pidgin.execmd.exepid process 556 pidgin.exe 556 pidgin.exe 2500 cmd.exe 2500 cmd.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
pidgin.exedescription pid process target process PID 556 wrote to memory of 2500 556 pidgin.exe cmd.exe PID 556 wrote to memory of 2500 556 pidgin.exe cmd.exe PID 556 wrote to memory of 2500 556 pidgin.exe cmd.exe PID 556 wrote to memory of 2500 556 pidgin.exe cmd.exe PID 556 wrote to memory of 2500 556 pidgin.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pidgin.exe"C:\Users\Admin\AppData\Local\Temp\pidgin.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\cmd.execmd.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD5a040cdb5f95ac97a784e02674d33d6ae
SHA1fdc3e9604d07b6b30bd6bbf07b49fe02389fba83
SHA256bb108610ad797b19b0fb2051362741920f6d7f1a327fde089f9a63d9850c093d
SHA5123171a00f4b936114a7a5595240b0de9d6263617cf49ed8bf591a2dc0f1ee73ded600b9bf5425743f1f87b80c7657eb2f4d9ff8753076cede51ea5dbb6e0a48f5
-
Filesize
88KB
MD51f521e8b258d2b09f66fb8c940452b72
SHA17d669fe4108d40ed431a6728a27a2efc5c153bd0
SHA2567786e9e3c7fe54f52b54e4bb922ef569ad68dc14f4096d530824556975e0f462
SHA51261058ec95c20ff46f3613f3bd7647231943b64f8171eb0327ee72613a079bd9d8e639434208bb120b1d5242075a13be6686c0dfd31c04932a93f1bef413192d3
-
Filesize
108KB
MD5c283b2379ea584aab52abee0844b02a0
SHA1903f9c7dcadf578637d604be681588fffec90e9b
SHA2568292226e43a1aced9d38e2bdfb14cebabc12f9aa0a76ebdc47971eac026407f2
SHA512a7e285d0d7ed7f212d33da6957ed9b2ba70ecd0e69852b52f33ebedc4682a1dc9621f6304b4c06b91b9ea74d94f1b6c3fad1d1f6f67f18512245870f908cd157
-
Filesize
488KB
MD505ec7e9dee5c43b659d7843f6eb462a2
SHA11d37a930765e282b75b1d129258e21f683379245
SHA256b98bacd2a12a4912acb8e6c8b4447c19b811672f5d6c43048b62c9e273c863d4
SHA512fbdd1f7ec8dff695f8914dcd088a1217389d5d6c2c7b130ab8d87679f9f1cf8aa0c62ee303de07b0aa920b4e62a34132c788b20f53e5829d2d9a845ef32ad4f6