Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 17:49
Behavioral task
behavioral1
Sample
2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe
-
Size
10.0MB
-
MD5
1769ef9c9da2556b99ee5c51f66e1d9a
-
SHA1
61bf3dd05caa5d5158f7f98a6ad68288509f97e2
-
SHA256
91a4dc993902fd0a8156e54ea8a14d40ad59e432e66d99d952af68b9b28f4cbf
-
SHA512
ad75ba8e043f526d23632e2641c1e41c06b87ab267352e9008c11942638c8f7af1e46242078eb34df754edde3bce3d39b7bdb9d32e3aa82c883ea4757976d6f0
-
SSDEEP
98304:qnsmtk2aQruq22y9z+FtMDxV2x0pfjzLESCfmgz4oOsfUgsb5CFx8QzYHWt9Frs3:kLr+q6pf/A5SiUg5xhT10cRKr45kb
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Executes dropped EXE 3 IoCs
pid Process 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4892 Synaptics.exe 4508 ._cache_Synaptics.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\pcmaster.exe = "11000" ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\pcmaster.exe = "1" ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Logon Master ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\Logon Master ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1788 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 4336 ._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE 1788 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3456 wrote to memory of 4336 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 86 PID 3456 wrote to memory of 4336 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 86 PID 3456 wrote to memory of 4336 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 86 PID 3456 wrote to memory of 4892 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 87 PID 3456 wrote to memory of 4892 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 87 PID 3456 wrote to memory of 4892 3456 2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe 87 PID 4892 wrote to memory of 4508 4892 Synaptics.exe 88 PID 4892 wrote to memory of 4508 4892 Synaptics.exe 88 PID 4892 wrote to memory of 4508 4892 Synaptics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.0MB
MD51769ef9c9da2556b99ee5c51f66e1d9a
SHA161bf3dd05caa5d5158f7f98a6ad68288509f97e2
SHA25691a4dc993902fd0a8156e54ea8a14d40ad59e432e66d99d952af68b9b28f4cbf
SHA512ad75ba8e043f526d23632e2641c1e41c06b87ab267352e9008c11942638c8f7af1e46242078eb34df754edde3bce3d39b7bdb9d32e3aa82c883ea4757976d6f0
-
C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-18_1769ef9c9da2556b99ee5c51f66e1d9a_darkgate_luca-stealer_magniber.exe
Filesize9.2MB
MD5eec9b97f68ea832cc826a16baa541ea6
SHA1dbedadec7c339183c180ce2b533d76e54ade63c3
SHA25630453a38db5854c9a041330d145bbd4d9dac60bf2ca2440700cce75b307f28f0
SHA51260ef16f1d7db6e9147cf40536ef32a78419f63751bf3ddd243485c6f651c9ff4389eabd353bcd728d94cb29ae0868c2305cbd42d629ef53669d838f6a6e874c2
-
Filesize
25KB
MD510e67e30533366f3d7e2dc9f31ed73d7
SHA119cffb61769154f6df4ca46308eb5210fe6ca33d
SHA256d21146f7120529b74a819b4f08134bd2c8fb7f37644c6efc62922b4cc2a60d5e
SHA512cd2e58d2a390f8c6e617fc0b8fcb9d7847081ae8a1ebe62014403a1fbda6e9c03abb9a662e25ea763e0c03dbc54670086874237d043af3814b58f126c3e58019
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04