Overview

overview

10

Static

static

1

1bc0633484...81.exe

windows7-x64

10

1bc0633484...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe

  • Size

    4.9MB

  • MD5

    9afafb511744b437365662e3647e8e76

  • SHA1

    883956c959701ea092515d2262e7f71248bbd08e

  • SHA256

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381

  • SHA512

    001010c095798369ea6338cb432f6dffa75f6badb6bd0d4f746a7d2d8c8740a9ab40b1de7ffc519538a312e46fb0621d81646db76b32a3d2aaa8d0283d856e03

  • SSDEEP

    49152:C4Y60gIBGEyn4GoXW6WJKjuFs3HSqgblLWgqf8NY:bY6pHNJJ08qb

Score
10/10
darkgaterastaadiscoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

rastaa

C2

44-35-63-31.internalsakamai.net

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xKhQCrdc

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    rastaa

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1072
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2084
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1148
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:3028
      • C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe
        "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2504
        • \??\c:\tes2\Autoit3.exe
          c:\tes2\Autoit3.exe c:\tes2\mytes2.au3
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2076
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\adagefe\fafkfhc
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2868
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping localhost & del /q /f "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
          2⤵
          • Deletes itself
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\adagefe\dehekdh
        Filesize

        1KB

        MD5

        447be72251d34f1c28b7a895b62f45ae

        SHA1

        c86e243c596807ec66d23543d06899751ad206b6

        SHA256

        7103f6eab49cad09648dd10c07bcb3224fbbcffdcb5dfce46cae393ccc5eb4af

        SHA512

        488112e03477247872bd7e9ca86e2da61f13a76390f764b72908b2129d2a0f3ab9bf2379d358c25ff1272c96e2073b3678c1908a6d94e9b1fa2b3e0f5e631703

        Download Submit

      • C:\ProgramData\adagefe\fafkfhc
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\Users\Admin\AppData\Roaming\HfFHcFh
        Filesize

        32B

        MD5

        bf368fbb965829c82448e1fa701911a5

        SHA1

        02dc2a77f8d5c57b8cfa7a33805addc5b98b5f3f

        SHA256

        ca2ac9552a553b6344f6ae7d1dd2f8aac7b4d8a92ad6a828149ad9c2a5af0cf3

        SHA512

        ed44571a8b29a35a0fae219a503cbc0f2e3f1edc0827b10390319ea968336e0bb0c7f4dab89df9eb955a1891675e698c632e517050cc515c037c730a69df7d3b

        Download Submit

      • C:\temp\hcgafbe
        Filesize

        4B

        MD5

        55bfcae8a168976fd101b1e6b88dca33

        SHA1

        4eaecd28614a428d402d92dd8c4de8c2022af70e

        SHA256

        203df76a32827c0ce0edbfb1c756000f924e4b47797bed4bd2876edc348e5647

        SHA512

        20c68b6502283984611b7c4ebed55ad33bbd0f90bd1f9ee012b43246dafa6b6843fd463b7f4c20b4c1aec36fc684ad4532551fb1c3818c3bd5601dff1b9b3f62

        Download Submit

      • C:\temp\hcgafbe
        Filesize

        4B

        MD5

        db2a2cf25af38c01818b6a154e510b9d

        SHA1

        cb1034395324fb795da762ebd2bf98f6ccd71939

        SHA256

        313d63a0ece058a5d5aecc9719f9be93628625d2d61498e01212c822f8bca325

        SHA512

        d38c4e2df098545bd2dd252132a6a684dddee3ba91565cf9bbc96f693cf10728b2cd981e5ca373d2e9bc99d865017aff5663a7af2997c6f6134b0d3273a2b9d1

        Download Submit

      • C:\temp\kdahbeb
        Filesize

        4B

        MD5

        05f949a724d4faf9f5bfca45a9e43823

        SHA1

        9a47c5c48abb6f70ec77eaf041a80596ab1e9a9b

        SHA256

        abf403139cb82e654d179dd52fc4186d997cd6a82845d030edc10d339c9db909

        SHA512

        a9de5e9629d9db60fcb709aca97538c03dd82d0b2476aed98b0e54d08ef11e41e456495061064605f52f5e85917e901490d7e42df475fa3f6845a8ad5d830ffc

        Download Submit

      • C:\tes2\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\tes2\mytes2.au3
        Filesize

        516KB

        MD5

        d91891cae02a24735853100a3511d74f

        SHA1

        4ace59e166ec0632fb3a6668b2d58ff809250ec2

        SHA256

        e2c3b31ee3615e2f39843d035f1990b94c12af1e42c34ce8e83c28b29c85567d

        SHA512

        ec41191df9451a5ebbae58a743cff8db87ea1dd0adf23d3cb5bb8853db5ffc3d819fbf096ca8ee1d0767e44490e804a9f58341ef49979138ef958ee7e6f12903

        Download Submit

      • memory/2076-9-0x0000000000B70000-0x0000000000F70000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2076-10-0x0000000002F10000-0x000000000328B000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2076-23-0x0000000002F10000-0x000000000328B000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/2504-6-0x00000000011F0000-0x00000000016E6000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2504-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3028-33-0x0000000002700000-0x0000000002EA2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3028-32-0x0000000002700000-0x0000000002EA2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3028-31-0x0000000002700000-0x0000000002EA2000-memory.dmp

        Filesize

        7.6MB

        Download