darkgate | 878dac750a0717184095b18885aab76da813c897482ea10154393988d122855b | Triage

Submit
Reports

Overview

overview

Static

static

3

dr_drop_L_...em.exe

windows10-2004-x64

Sharing

General

Target

dr_drop_L_Cryp_Mem.exe
Size

6.7MB
Sample

241118-ejmzysxnds
MD5

d9ec1112453f05e7aedc4219abb7d032
SHA1

f5444e58f9c9d6381443c1157f9fe0c1bfb36cbe
SHA256

878dac750a0717184095b18885aab76da813c897482ea10154393988d122855b
SHA512

98921f0a2ca4fb381552c2ac25ca291219419875782464b5a93a8c943b484a11a0d6f5007460a5f0977e0449688c135e66e75baf970fda1b0d6dac0167a3e86d
SSDEEP

196608:OkJzG+AC+tJsqYcqE4kSyJAiz3wDRt1BHEg:ieRzRXdE

Score

10^/10

darkgate derry discovery execution persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

dr_drop_L_Cryp_Mem.exe

Resource

win10v2004-20241007-en

darkgate derry discovery execution persistence stealer

windows10-2004-x64

25 signatures

1200 seconds

Malware Config

Extracted

Family

darkgate

Botnet

Derry

C2

164.132.5.124

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
1111
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wfQGmVbK
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
Derry

Targets

- Target
  
  dr_drop_L_Cryp_Mem.exe
- Size
  
  6.7MB
- MD5
  
  d9ec1112453f05e7aedc4219abb7d032
- SHA1
  
  f5444e58f9c9d6381443c1157f9fe0c1bfb36cbe
- SHA256
  
  878dac750a0717184095b18885aab76da813c897482ea10154393988d122855b
- SHA512
  
  98921f0a2ca4fb381552c2ac25ca291219419875782464b5a93a8c943b484a11a0d6f5007460a5f0977e0449688c135e66e75baf970fda1b0d6dac0167a3e86d
- SSDEEP
  
  196608:OkJzG+AC+tJsqYcqE4kSyJAiz3wDRt1BHEg:ieRzRXdE
Score

10^/10

darkgate derry discovery execution persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Darkgate family
  darkgate
- Detect DarkGate stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

darkgatederrydiscoveryexecutionpersistencestealer

© 2018-2024

Terms | Privacy