Overview

overview

10

Static

static

10

darkgate/0...20.exe

windows7-x64

10

darkgate/0...20.exe

windows10-2004-x64

10

darkgate/0...24.exe

windows7-x64

1

darkgate/0...24.exe

windows10-2004-x64

3

darkgate/0...d2.exe

windows7-x64

10

darkgate/0...d2.exe

windows10-2004-x64

10

darkgate/0...bf.exe

windows7-x64

10

darkgate/0...bf.exe

windows10-2004-x64

10

darkgate/0...49.exe

windows7-x64

10

darkgate/0...49.exe

windows10-2004-x64

10

darkgate/0...fd.exe

windows7-x64

1

darkgate/0...fd.exe

windows10-2004-x64

1

darkgate/0...8f.exe

windows7-x64

darkgate/0...8f.exe

windows10-2004-x64

darkgate/0...be.exe

windows7-x64

10

darkgate/0...be.exe

windows10-2004-x64

10

darkgate/1...bb.exe

windows7-x64

10

darkgate/1...bb.exe

windows10-2004-x64

10

darkgate/1...ac.exe

windows7-x64

1

darkgate/1...ac.exe

windows10-2004-x64

3

darkgate/1...e6.exe

windows7-x64

1

darkgate/1...e6.exe

windows10-2004-x64

3

darkgate/1...50.exe

windows7-x64

1

darkgate/1...50.exe

windows10-2004-x64

1

darkgate/1...de.exe

windows7-x64

darkgate/1...de.exe

windows10-2004-x64

darkgate/1...e4.exe

windows7-x64

10

darkgate/1...e4.exe

windows10-2004-x64

10

darkgate/1...f2.exe

windows7-x64

1

darkgate/1...f2.exe

windows10-2004-x64

3

darkgate/1...90.exe

windows7-x64

10

darkgate/1...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    darkgate/0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe

  • Size

    433KB

  • MD5

    ba837c850e492f4282bf5e34f30cefa8

  • SHA1

    4ae7d8909e58f82408b22187b1085465976b3eae

  • SHA256

    0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be

  • SHA512

    13b4a6044ac2d5b4a110431060abb5238778880097c6abc7e351b40ccc4e6dd2529114293fb10ef930d7d5b1ddc653f9faa0e9cc9e99c98f40d21663d416969d

  • SSDEEP

    12288:3Wy/dWy8VGJcix+d/WS8/Ruv0d5J/zW+hqxqnup/5:3p1p8V0x+d/WS8Hd/W+hqx+uJ5

Score
10/10
darkgatediscoverystealer

Malware Config

Extracted

Family

darkgate

Version



C2

http://lampixx.hopto.org

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    61689

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    true

  • crypto_key

    raKqdORtLcYsWG

  • internal_mutex

    pIzEhw

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    20

  • rootkit

    true

  • startup_persistence

    true

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 12 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\darkgate\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
    "C:\Users\Admin\AppData\Local\Temp\darkgate\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bcfgkda\aaakdcb\dhcaaga
    Filesize

    176B

    MD5

    b4478db48ca5ab372e908580143f9060

    SHA1

    9e313b7e44619ae063c34657551dd691cc774f48

    SHA256

    ef61dd3a10f46ee2dce84c4b6ad1e4ead467a0bc8858720f4583f428cd5fc8c7

    SHA512

    8ce940bec961ca959adfd2ed2d90a8f479e6c15049e2fdc3628de1446ffc59b9dcbbda429dcb7ccb92814d05175a682ea21d0aa08de67de097f869e0b5947a9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ebaeabg
    Filesize

    148B

    MD5

    a7bb562f444cfdf945cc17b441e1c4a0

    SHA1

    5f46e69dae1575f685fc9c5bc2324320af6f5ba7

    SHA256

    2f4f23dfbe7e75eae1f49b0ec5581806b89e9d74a18e6e18e0a7979b2d76d0ea

    SHA512

    8e054498f9535dfd9516ef8ab41a841963aefc226d6e79d7e66bbf12070d6da078d69641549164c8f96ecd539ce645a18a36a0457bfcdb694b436975826dc3ea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebaeabg.lnk
    Filesize

    891B

    MD5

    278242ad6c5a8709f8e7600b4a6ed266

    SHA1

    014c64bd08c79853ffc7a12a157ef2e8c403b848

    SHA256

    a767a53897b24899be62f3df6bcb59ff95d0d2fe449a94209257f2d280871f20

    SHA512

    c9e4249a95e7e08360859182bba62af96684b4a60b2438735397fb75ba48ed897f90ba1e6b6f81f35dc505a358ee40a69e7c8e20e72bec3efa2a1dcf326f218b

    Download Submit

  • memory/1996-7-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-3-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-5-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-1-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-12-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-14-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-16-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-13-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-4-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1996-23-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/2548-2-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download