Overview

overview

10

Static

static

1

KB46569499.exe

windows7-x64

10

KB46569499.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KB46569499.exe

  • Size

    4.9MB

  • MD5

    9afafb511744b437365662e3647e8e76

  • SHA1

    883956c959701ea092515d2262e7f71248bbd08e

  • SHA256

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381

  • SHA512

    001010c095798369ea6338cb432f6dffa75f6badb6bd0d4f746a7d2d8c8740a9ab40b1de7ffc519538a312e46fb0621d81646db76b32a3d2aaa8d0283d856e03

  • SSDEEP

    49152:C4Y60gIBGEyn4GoXW6WJKjuFs3HSqgblLWgqf8NY:bY6pHNJJ08qb

Score
10/10
darkgaterastaadiscoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

rastaa

C2

44-35-63-31.internalsakamai.net

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xKhQCrdc

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    rastaa

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2460
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3512
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2508
        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:1280
      • C:\Users\Admin\AppData\Local\Temp\KB46569499.exe
        "C:\Users\Admin\AppData\Local\Temp\KB46569499.exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:876
        • \??\c:\tes2\Autoit3.exe
          c:\tes2\Autoit3.exe c:\tes2\mytes2.au3
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2000
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fdbcbgc\ehggcde
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2748
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4320
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping localhost & del /q /f "C:\Users\Admin\AppData\Local\Temp\KB46569499.exe"
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\fdbcbgc\bcekfgd
        Filesize

        1KB

        MD5

        66a2a4916f72095533b53b9411bba364

        SHA1

        7a505aa642e3b976018fff575878a413b7ba8df6

        SHA256

        3ccaa79a0acfe7490259834cea734b9f4fcda04667203b3858393494d4697b42

        SHA512

        240b72d781135128bb7fc1ea17d786635832505a059f45e836cf70833bd4bf7aa4e11bcf395cec5dd0d6a86dbc70746b78c80f0cb0cb434e56472d7e59163b03

        Download Submit

      • C:\ProgramData\fdbcbgc\ehggcde
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GdDBAHf
        Filesize

        32B

        MD5

        0a228b7362bc2fe11545f5932a4e3e92

        SHA1

        6f939a017879e656c5dcfa539399544869f52c9f

        SHA256

        7de159449c515d9e5678940414b6bdc2c3e2efcc63bac72fe5652c2cfd930842

        SHA512

        3319f988309f272be50f4eb2deaf20ab71121bd861d79c163fd4ec251c41ce330dbc50d135b29e4a0ed2891d6908f3bc32e392138e423984520efd2fbc468ce7

        Download Submit

      • C:\temp\aacdgfd
        Filesize

        4B

        MD5

        f7a21e1cce4452989656ad0dac0c0fed

        SHA1

        2e6f52934ff4983acc907b382764c2f91c3a8c1c

        SHA256

        0ca5289c76980e5fa288e827dfeb66f8af5b97d372fd080ce682adc79a121eea

        SHA512

        b5307ac1f233a53f0e9d1f01c516e2c799a9c5a35e530d859e60f2818a4a63a4e587a7600d736caea09c6cfbc340ea51fc217cc80dba66d0c4912be502c9b30c

        Download Submit

      • C:\temp\agcegga
        Filesize

        4B

        MD5

        6de0798014360f43659006c494c36297

        SHA1

        bde613e112497bb92d5cafc58552609ca2b7e3f4

        SHA256

        c67faaf845840497ae235956a5e3c2b111cce208ac58605825d9a1ec708441cb

        SHA512

        32054024a39278355a8f401fca3e417de4e2c85c403accbfba7b6b6e8d27740c893f097d2dbf7370e0068b4ad3c13255b680a5dc42696424ce54d0c911db1aa6

        Download Submit

      • C:\temp\agcegga
        Filesize

        4B

        MD5

        6d9aa1eae3d04f9053c510d145978806

        SHA1

        466eb5640775c2e25dbca87188160b15a8b44f2e

        SHA256

        5ef8116afa2ff5609df3812da09885f00824bbf33d8db368c4ca49e14d274237

        SHA512

        57262937d07df28d7cedf0cf71c94eefdf9d93b772e7b96b49e1f7a6a0d0c749cf77ba9afe864937eadfcc163a2a8cef8555e7c213210d045d77a1ea3b1d7fe7

        Download Submit

      • C:\tes2\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\tes2\mytes2.au3
        Filesize

        516KB

        MD5

        d91891cae02a24735853100a3511d74f

        SHA1

        4ace59e166ec0632fb3a6668b2d58ff809250ec2

        SHA256

        e2c3b31ee3615e2f39843d035f1990b94c12af1e42c34ce8e83c28b29c85567d

        SHA512

        ec41191df9451a5ebbae58a743cff8db87ea1dd0adf23d3cb5bb8853db5ffc3d819fbf096ca8ee1d0767e44490e804a9f58341ef49979138ef958ee7e6f12903

        Download Submit

      • memory/876-0-0x000001C3558C0000-0x000001C3558C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/876-5-0x0000000000930000-0x0000000000E26000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1280-30-0x0000000002F40000-0x00000000036E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/1280-32-0x0000000002F40000-0x00000000036E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/1280-31-0x0000000002F40000-0x00000000036E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2000-9-0x0000000003C20000-0x0000000003F9B000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2000-8-0x0000000000930000-0x0000000000D30000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2000-22-0x0000000003C20000-0x0000000003F9B000-memory.dmp

        Filesize

        3.5MB

        Download