Overview

overview

10

Static

static

10

payload.exe

windows7-x64

10

payload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.exe

  • Size

    397KB

  • MD5

    16733d2085f03bab36d59c7ec504adf3

  • SHA1

    056c766b437815db98dc8a2e606e4b4c17c821a2

  • SHA256

    181e177817e681d7811673ec4deb06991d278afcde1ecf95194d05d6bfa5f49f

  • SHA512

    e60f7ba5c86d39a2cbf9c1cb2db60fff566790d983273f30a39bb386d2de48040a040a3b5a717fe1571bea3a3f5923331f32d510d0c96bdaebe96b9a9f25d5c7

  • SSDEEP

    6144:4gfzONv8tSLeCbKhVBIlKJXPrAbjfiUToabIObgNCF2Bs5fR/gMaPE4ya8A8:zzWleCbKhVB6KfWRbqJBs//gz8

Score
10/10
darkgatesilhouettes1discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

Silhouettes1

C2

nuxdom.lat

Attributes
  • anti_analysis

    true

  • anti_debug

    false

  • anti_vm

    true

  • c2_port

    6280

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    fzYjHvpH

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    Silhouettes1

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\payload.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2924
    • \??\c:\windows\SysWOW64\cmd.exe
      "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\egcahef\cgehfce
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic ComputerSystem get domain
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\egcahef\cgehfce
    Filesize

    54B

    MD5

    c8bbad190eaaa9755c8dfb1573984d81

    SHA1

    17ad91294403223fde66f687450545a2bad72af5

    SHA256

    7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

    SHA512

    05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

    Download Submit

  • memory/2924-3-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download