Overview

overview

10

Static

static

1

1bc0633484...81.exe

windows7-x64

10

1bc0633484...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe

  • Size

    4.9MB

  • MD5

    9afafb511744b437365662e3647e8e76

  • SHA1

    883956c959701ea092515d2262e7f71248bbd08e

  • SHA256

    1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381

  • SHA512

    001010c095798369ea6338cb432f6dffa75f6badb6bd0d4f746a7d2d8c8740a9ab40b1de7ffc519538a312e46fb0621d81646db76b32a3d2aaa8d0283d856e03

  • SSDEEP

    49152:C4Y60gIBGEyn4GoXW6WJKjuFs3HSqgblLWgqf8NY:bY6pHNJJ08qb

Score
10/10
darkgaterastaadiscoverypersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

rastaa

C2

44-35-63-31.internalsakamai.net

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    xKhQCrdc

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    rastaa

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:2696
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4128
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
        PID:2776
        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:3132
      • C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe
        "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1520
        • \??\c:\tes2\Autoit3.exe
          c:\tes2\Autoit3.exe c:\tes2\mytes2.au3
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4348
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\khkffhb\fgaahfa
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4996
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ping localhost & del /q /f "C:\Users\Admin\AppData\Local\Temp\1bc06334849768ebbd7afff675e4e3196984d00c495395ddb9050c8c5f780381.exe"
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:4452
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\khkffhb\fbahhab
        Filesize

        1KB

        MD5

        f7930ba185b9d126e3dcfeb9df51bce3

        SHA1

        05cd155630551e108348022a8dc23c95fff4f0dd

        SHA256

        3c76cfbb52c655a717668896e461429f095b6a4faaed3a9e8a2fe3f8bcf91c6e

        SHA512

        596025a54ff955eb6b725cf15a004d24ccdd03a724803a76ae0dde292679224d760249e6f779013810f5e70bf512f8b49dd81d633401ca1deb65dca703dd9f7d

        Download Submit

      • C:\ProgramData\khkffhb\fgaahfa
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GdDBAHf
        Filesize

        32B

        MD5

        bf4bfeb1586466a268ba43c6a8f2a180

        SHA1

        1fe8c6d7a32c7d44286b46d7ba249862c32ad7a2

        SHA256

        409718b143d12e76a320629a9c96620ca8ed8df05559c35dbd7d801fa06722c4

        SHA512

        00a1e4bfbda129e28680433996e843c92008055ec363264a171a1e71217eba8080849b5c8aba17d6ca42f7317132e33bb578dfdd95272eca6827c76747d29aa6

        Download Submit

      • C:\temp\dfabdce
        Filesize

        4B

        MD5

        e73d0cb088b9834f4d2bb91f857c5bc8

        SHA1

        acff749c2bb32ff7ff21fb298f5ec9e5768aac79

        SHA256

        56a1a46ef6ab505d1f1114b4b780fa07098f1a655b86f2aeba7bbad5d87d824a

        SHA512

        7a3d4c98eda48932c4d4027c426bbaeb00f16998f625fad442ce896899267787b5b8b755c344334b18be5a6f354e1cd453626cadc77f3164ac36afae1d300e7b

        Download Submit

      • C:\temp\dfabdce
        Filesize

        4B

        MD5

        44becbbdfcbb4e48a5226b0fe9b76a45

        SHA1

        6a433bb479582228a8a8672b04912815f1ae8a62

        SHA256

        b23b87194d7a2e8ec1f04cdc2b97b2d8e23751020fa31a08f4db0d38d3dacf1f

        SHA512

        0339b3977976b7cd9cd1803a3650d08e8b0f438d866c9800ea357dd70db2c486beeceefc69f1b5fcf7d6ecb9ea6e25b02219b7df621fae5a94e8492dec1cd042

        Download Submit

      • C:\temp\hffgcac
        Filesize

        4B

        MD5

        b6027d7135d63698e9f48925f659a3b2

        SHA1

        c1c926601bcae3c891d7b28bc0fabbf1846b4217

        SHA256

        e32d494be83703f0d117bd2793e6ba47a1934f439ca29251b7d080580db0bd06

        SHA512

        7bf02040cf70fbda9e11ed85ceec21bbd3ba74b8bf5e37a6710e1eccd6ce5d5e9a05b827ad11c9ee5af7748ba7de091e4c130f46b72d3750df8eb642c519a3f9

        Download Submit

      • C:\tes2\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\tes2\mytes2.au3
        Filesize

        516KB

        MD5

        d91891cae02a24735853100a3511d74f

        SHA1

        4ace59e166ec0632fb3a6668b2d58ff809250ec2

        SHA256

        e2c3b31ee3615e2f39843d035f1990b94c12af1e42c34ce8e83c28b29c85567d

        SHA512

        ec41191df9451a5ebbae58a743cff8db87ea1dd0adf23d3cb5bb8853db5ffc3d819fbf096ca8ee1d0767e44490e804a9f58341ef49979138ef958ee7e6f12903

        Download Submit

      • memory/1520-6-0x00000000005D0000-0x0000000000AC6000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/1520-0-0x000001B33A150000-0x000001B33A151000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-30-0x00000000030D0000-0x0000000003872000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3132-32-0x00000000030D0000-0x0000000003872000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3132-31-0x00000000030D0000-0x0000000003872000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/4348-9-0x0000000004780000-0x0000000004AFB000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/4348-8-0x0000000001740000-0x0000000001B40000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4348-22-0x0000000004780000-0x0000000004AFB000-memory.dmp

        Filesize

        3.5MB

        Download