Overview

overview

10

Static

static

1

1bc0633484...81.exe

windows7-x64

10

1bc0633484...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe

  • Size

    4.9MB

  • MD5

    9afafb511744b437365662e3647e8e76

  • SHA1

    883956c959701ea092515d2262e7f71248bbd08e

  • SHA256

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381

  • SHA512

    001010c095798369ea6338cb432f6dffa75f6badb6bd0d4f746a7d2d8c8740a9ab40b1de7ffc519538a312e46fb0621d81646db76b32a3d2aaa8d0283d856e03

  • SSDEEP

    49152:C4Y60gIBGEyn4GoXW6WJKjuFs3HSqgblLWgqf8NY:bY6pHNJJ08qb

Score
10/10
darkgaterastaadiscoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

rastaa

C2

44-35-63-31.internalsakamai.net

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xKhQCrdc

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    rastaa

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2596
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1940
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4016
        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
          2⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3520
      • C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe
        "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4368
        • \??\c:\tes2\Autoit3.exe
          c:\tes2\Autoit3.exe c:\tes2\mytes2.au3
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4544
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fgdhfff\bhdkhkd
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3128
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping localhost & del /q /f "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3240

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\fgdhfff\bhdkhkd
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\fgdhfff\ghfcakh
        Filesize

        1KB

        MD5

        ac78498ff2bb1fa771eeecea71df1a8b

        SHA1

        02204e45ea5b57af154ca8e512e3b74181bc741b

        SHA256

        c5c983526aad3a775028ab9e6eae2583be3ce23957166e541d9c4eaf6c6eff8c

        SHA512

        a111143f8df197f451f1036b2d0fee6aa3a3038edad0e6fcc348f3ef18e75ad9d24bc83267bb4f7acebca62f4b081f8965a900109e415e5b1792efa36ae8465b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ecBAafa
        Filesize

        32B

        MD5

        52baacbc84c99c780c5363fa4da58eaf

        SHA1

        1a38d3f0dddab1302fc4094e0173f93ffcdeff24

        SHA256

        0fc5688653686300e5d87a2c59fbb10441ade9cb6585c6ea21978da07e9888b3

        SHA512

        bad7d5829c2d7d4f2b9dd9dc85e7d1b03b868dc1bf86e31359f832b9af3c1653c65f030bbaf89e9196c8ef259446f2bf432b8cfb2dd5351926a7c5303534efc7

        Download Submit

      • C:\temp\edhhcee
        Filesize

        4B

        MD5

        03fdfeaed105e55dc358953ea4fc2977

        SHA1

        64b4417d3623fc9aa2088343211e5f0e207fe36c

        SHA256

        12698df183738ff6fc7d3301002784576b1e64a45978ce8e98a2c2c69fdd617b

        SHA512

        f3e89749808604c0538dae7ba6e4be4722ff2317e43d157d6b478f1ef79153927cf5d0ba8d2910e557df209e80c70c3b113a1bc28c8013870dd5adb72994bf98

        Download Submit

      • C:\temp\edhhcee
        Filesize

        4B

        MD5

        47ad83a9ac892937ca70fa091142e174

        SHA1

        6240d2e72fe2b1b65809b8d6bf901f25c97cbf78

        SHA256

        95a5962be428923b1c91bd87133d9b4daf1cf03f9bc6794bea37c38a83c168e3

        SHA512

        cdc485e9c22295fcfc920ec88715b299fd333d9c7df7cf71eff2b113ea1ba81b5cf8f6d16e8a717834677425e54c3477bb59fe52297fa3dbd52c6bac5343ae5b

        Download Submit

      • C:\temp\gcffbcf
        Filesize

        4B

        MD5

        5087cadfe5f6c1931a64e8e968a13178

        SHA1

        bee693c72250c0da0347f2c6fb84f2f7cc61ed02

        SHA256

        57f70c28c6a3480769057aa2eeec99449c2a810acc2b6485b90ba13175c6df04

        SHA512

        d68cffa41fbaa36b4120a16e8be7a34ee0af851d024f788c8080ead97bcc3927f21b68209d02244e636870e438f1c1294bae616ce066a5606dae1de24c016957

        Download Submit

      • C:\tes2\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\tes2\mytes2.au3
        Filesize

        516KB

        MD5

        d91891cae02a24735853100a3511d74f

        SHA1

        4ace59e166ec0632fb3a6668b2d58ff809250ec2

        SHA256

        e2c3b31ee3615e2f39843d035f1990b94c12af1e42c34ce8e83c28b29c85567d

        SHA512

        ec41191df9451a5ebbae58a743cff8db87ea1dd0adf23d3cb5bb8853db5ffc3d819fbf096ca8ee1d0767e44490e804a9f58341ef49979138ef958ee7e6f12903

        Download Submit

      • memory/1940-30-0x0000000002FD0000-0x0000000003772000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/1940-31-0x0000000002FD0000-0x0000000003772000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/1940-32-0x0000000002FD0000-0x0000000003772000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/4368-5-0x0000000000EA0000-0x0000000001396000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4368-0-0x0000024FC4DA0000-0x0000024FC4DA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4544-9-0x0000000004770000-0x0000000004AEB000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/4544-8-0x0000000001560000-0x0000000001960000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4544-22-0x0000000004770000-0x0000000004AEB000-memory.dmp

        Filesize

        3.5MB

        Download