darkgate | 0d259358cc6c6d195424b2d188a1a8ecb5564ce1d51e8f7a9fc3ebc187eafefc | Triage

Sharing

General

Target

19888b7fe000d86bc63cf6a75a1e4c69.bin
Size

2.5MB
Sample

241117-bc8fjaxfpd
MD5

28766e6691d7abf80a287728d12f0b57
SHA1

bfaec031023547652574cca6fc22aacbf83baaed
SHA256

0d259358cc6c6d195424b2d188a1a8ecb5564ce1d51e8f7a9fc3ebc187eafefc
SHA512

96b0cf514072d6e3ee782515676d8495d4d944e2113e54aa8ac2d0cca8a7c951f1f946d9e6b691ad6e3c16c8ceef663372d7863614f6e2926745fcfd7af323e5
SSDEEP

49152:kyoi8FpSzU4p+6+XxF6e+uoN2jVK8Qip98C694V2ER0/x23osEJEJGXl3Y4zig8C:k9i8FUNpP+Xxlfdjc8Qip9K94ngxA70v

Score

10^/10

darkgate derry discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

Derry

C2

164.132.5.124

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
1111
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
KfrfRZvc
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
Derry

Targets

- Target
  
  cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88.exe
- Size
  
  4.7MB
- MD5
  
  19888b7fe000d86bc63cf6a75a1e4c69
- SHA1
  
  05ca780f0ba02d7b13d969560f02621ec94ff6cb
- SHA256
  
  cc5c482229f5b9d1c88f6ff68abb7461de259749f6230932654bb5aaa3fddd88
- SHA512
  
  06fadf1e5a002c6603f46206086b3b439ae912ae4c0cbf47289a018f544f7f174347e5d70eb759dd54fee564c4e1d224d3b71f516517fe0395a43553779ceb41
- SSDEEP
  
  98304:p7kJzG+ACjCweJ43Nw8OYVW5UcH4kSymFQ/wtj+r:ZkJzG+AC+tJsqYcqE4kSymFzx+r
Score

10^/10

discovery darkgate derry execution persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Darkgate family
  darkgate
- Detect DarkGate stealer
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgatederrydiscoveryexecutionpersistencestealer