Overview

overview

10

Static

static

10

darkgate/0...20.exe

windows7-x64

10

darkgate/0...20.exe

windows10-2004-x64

10

darkgate/0...24.exe

windows7-x64

1

darkgate/0...24.exe

windows10-2004-x64

3

darkgate/0...d2.exe

windows7-x64

10

darkgate/0...d2.exe

windows10-2004-x64

10

darkgate/0...bf.exe

windows7-x64

10

darkgate/0...bf.exe

windows10-2004-x64

10

darkgate/0...49.exe

windows7-x64

10

darkgate/0...49.exe

windows10-2004-x64

10

darkgate/0...fd.exe

windows7-x64

1

darkgate/0...fd.exe

windows10-2004-x64

1

darkgate/0...8f.exe

windows7-x64

darkgate/0...8f.exe

windows10-2004-x64

darkgate/0...be.exe

windows7-x64

10

darkgate/0...be.exe

windows10-2004-x64

10

darkgate/1...bb.exe

windows7-x64

10

darkgate/1...bb.exe

windows10-2004-x64

10

darkgate/1...ac.exe

windows7-x64

1

darkgate/1...ac.exe

windows10-2004-x64

3

darkgate/1...e6.exe

windows7-x64

1

darkgate/1...e6.exe

windows10-2004-x64

3

darkgate/1...50.exe

windows7-x64

1

darkgate/1...50.exe

windows10-2004-x64

1

darkgate/1...de.exe

windows7-x64

darkgate/1...de.exe

windows10-2004-x64

darkgate/1...e4.exe

windows7-x64

10

darkgate/1...e4.exe

windows10-2004-x64

10

darkgate/1...f2.exe

windows7-x64

1

darkgate/1...f2.exe

windows10-2004-x64

3

darkgate/1...90.exe

windows7-x64

10

darkgate/1...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    darkgate/0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe

  • Size

    433KB

  • MD5

    ba837c850e492f4282bf5e34f30cefa8

  • SHA1

    4ae7d8909e58f82408b22187b1085465976b3eae

  • SHA256

    0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be

  • SHA512

    13b4a6044ac2d5b4a110431060abb5238778880097c6abc7e351b40ccc4e6dd2529114293fb10ef930d7d5b1ddc653f9faa0e9cc9e99c98f40d21663d416969d

  • SSDEEP

    12288:3Wy/dWy8VGJcix+d/WS8/Ruv0d5J/zW+hqxqnup/5:3p1p8V0x+d/WS8Hd/W+hqx+uJ5

Score
10/10
darkgatediscoverystealer

Malware Config

Extracted

Family

darkgate

Version



C2

http://lampixx.hopto.org

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    61689

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    true

  • crypto_key

    raKqdORtLcYsWG

  • internal_mutex

    pIzEhw

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    20

  • rootkit

    true

  • startup_persistence

    true

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 12 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\darkgate\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe
    "C:\Users\Admin\AppData\Local\Temp\darkgate\0e5f17f2697aea5447d90d79a827a72610238355bb29f0d7b27012d4e8a3c3be.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\adkecde\caghage\bcdhfkf
    Filesize

    176B

    MD5

    3ce42e93adeefdd0dda1ddfe79505852

    SHA1

    17807c2061741c4698fcb3ef124a476d669451b1

    SHA256

    16125e0a133f319893866e0b76cae8ef96d3a53ea8e8d975a8f796fbeb7271f4

    SHA512

    fb9a13e31da371c3802022be374fd3b4ce0357c470b5d33ba81212a5ff63afbeb40db03c779e9cbf22cfcaf9c865338f0819845ecc9fd83b75d8d2607c34cc36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kdchefa
    Filesize

    148B

    MD5

    a7bb562f444cfdf945cc17b441e1c4a0

    SHA1

    5f46e69dae1575f685fc9c5bc2324320af6f5ba7

    SHA256

    2f4f23dfbe7e75eae1f49b0ec5581806b89e9d74a18e6e18e0a7979b2d76d0ea

    SHA512

    8e054498f9535dfd9516ef8ab41a841963aefc226d6e79d7e66bbf12070d6da078d69641549164c8f96ecd539ce645a18a36a0457bfcdb694b436975826dc3ea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdchefa.lnk
    Filesize

    863B

    MD5

    2a1f0eb2bdb2da04d6a41303cc6d8433

    SHA1

    3431169a7f3d9939f4280df95503be369eb26e44

    SHA256

    9ecca9d0014963726fe2a79933f050bbf3c2e17da8064d2873a012001af7a634

    SHA512

    f5c898d383a29956a4937415512442228513d7e381e67d334bf34f6044fb06dfcc774d6660ae3bc444393efeea4596a48feb086d784710b03193b57e037a2855

    Download Submit

  • memory/212-2-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-7-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-5-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-1-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-12-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-13-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-16-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-14-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-3-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-23-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4956-4-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download