Overview

overview

10

Static

static

1

1bc0633484...81.exe

windows7-x64

10

1bc0633484...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe

  • Size

    4.9MB

  • MD5

    9afafb511744b437365662e3647e8e76

  • SHA1

    883956c959701ea092515d2262e7f71248bbd08e

  • SHA256

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381

  • SHA512

    001010c095798369ea6338cb432f6dffa75f6badb6bd0d4f746a7d2d8c8740a9ab40b1de7ffc519538a312e46fb0621d81646db76b32a3d2aaa8d0283d856e03

  • SSDEEP

    49152:C4Y60gIBGEyn4GoXW6WJKjuFs3HSqgblLWgqf8NY:bY6pHNJJ08qb

Score
10/10
darkgaterastaadiscoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

rastaa

C2

44-35-63-31.internalsakamai.net

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xKhQCrdc

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    rastaa

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:1528
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1412
    • C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe
      "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2340
      • \??\c:\tes2\Autoit3.exe
        c:\tes2\Autoit3.exe c:\tes2\mytes2.au3
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2728
        • \??\c:\windows\SysWOW64\cmd.exe
          "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\caedkea\gkccahg
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic ComputerSystem get domain
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping localhost & del /q /f "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
        2⤵
        • Deletes itself
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2748
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\caedkea\effeaed
      Filesize

      1KB

      MD5

      b279ee4aef82d5b6401bdc65c6a05a0c

      SHA1

      0bb66a1cee859b480648f5e7b94c4fc5cbc5bbd5

      SHA256

      071be3d38bd3c7b3e4c9c481f10ad4634c1b1baee916e9daebd45142f8759acb

      SHA512

      d889dfe72b5c60e5ec94989489a053c744787fffe0c8d162a46e6815033cd98398d6680f73fba432d3be200323d860640955a528fd6e27d8396a344172c7baca

      Download Submit

    • C:\ProgramData\caedkea\gkccahg
      Filesize

      54B

      MD5

      c8bbad190eaaa9755c8dfb1573984d81

      SHA1

      17ad91294403223fde66f687450545a2bad72af5

      SHA256

      7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

      SHA512

      05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

      Download Submit

    • C:\Users\Admin\AppData\Roaming\HfFHcFh
      Filesize

      32B

      MD5

      512b5d523db7f8a637de4224dda41b4d

      SHA1

      ec2823bf889f5368b2c307c22f3b486fdc14ef1e

      SHA256

      9c1ec4e53e58ef2c2639d45f5c2921a45938d6d2b5f60273b2d08c77cfbccba8

      SHA512

      31ddfa9ad59ab6ba97e7b766e0ffffb9101e04bb1fed65b73e0b3f3dd4fdaa7f1e511fa063341f4a667007de5ecef1d6d86e9dcb1f2ac661f4f93eff9031320b

      Download Submit

    • C:\temp\debahch
      Filesize

      4B

      MD5

      baaa14263d09f9d20b85bfe5fec35e85

      SHA1

      b73e750b396ed03f373f899edf3de7bb934c0ff2

      SHA256

      dd6cf22d0adc111a6324ec534eb828eb0ffde7c1c071600acd2c580329b66219

      SHA512

      1da71d93656d7b2d101e8b121542679cdbe151d38db69145d1832aa02f976b7f1c00fbd51549c031296225e5bf777c3b0651b338649f8910a55ac2b515084ede

      Download Submit

    • C:\temp\debahch
      Filesize

      4B

      MD5

      3653a97625c094d5ecfbfb04218d2458

      SHA1

      28c9e2ab478482c97b201f0309a5958a0c1e678c

      SHA256

      5f4e4a463d62f258831fa8582fe938bfa53179fa2ec2d28a406e298f0bd68dbe

      SHA512

      b8610cb72c895fd13d01451e21615f2e91fd14a86f7a875573eeec59907f0c22404ba88cdb22279a5387325b26f03d8d03dd0b3c4cf6eaf169a956aab89d8bf8

      Download Submit

    • C:\temp\kdccfdh
      Filesize

      4B

      MD5

      fd169736271f6f6019121389661d4b88

      SHA1

      e8d5e87bce08d7a0d2f521a9273d238b362f1ae4

      SHA256

      ac09f1477bea4ccbaee42164648caeff296455fba5c223192cf97a2bdfd8c3fd

      SHA512

      57149735ebfe7e9065c3e903ac6972fde8a8440e27ed0e268bd1cbc171df3404b580de897b537967a3f122c427b467a82e92e13557fdc77cc59e70bfa835489c

      Download Submit

    • C:\tes2\Autoit3.exe
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • \??\c:\tes2\mytes2.au3
      Filesize

      516KB

      MD5

      d91891cae02a24735853100a3511d74f

      SHA1

      4ace59e166ec0632fb3a6668b2d58ff809250ec2

      SHA256

      e2c3b31ee3615e2f39843d035f1990b94c12af1e42c34ce8e83c28b29c85567d

      SHA512

      ec41191df9451a5ebbae58a743cff8db87ea1dd0adf23d3cb5bb8853db5ffc3d819fbf096ca8ee1d0767e44490e804a9f58341ef49979138ef958ee7e6f12903

      Download Submit

    • memory/2340-7-0x0000000000DC0000-0x00000000012B6000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2340-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-31-0x0000000001E10000-0x00000000025B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2572-33-0x0000000001E10000-0x00000000025B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2572-32-0x0000000001E10000-0x00000000025B2000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2728-10-0x0000000002FF0000-0x000000000336B000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/2728-9-0x0000000001110000-0x0000000001510000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2728-23-0x0000000002FF0000-0x000000000336B000-memory.dmp

      Filesize

      3.5MB

      Download