Overview

overview

10

Static

static

1

2024-12-04...er.exe

windows7-x64

10

2024-12-04...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe

  • Size

    2.2MB

  • MD5

    bedc3ce52514ed4a3ac79e5b27a7b416

  • SHA1

    c2f9df1466d8825fc7c4603c6570fab91b456a5c

  • SHA256

    aa3eea04ceaac6970579df2e8e3d344ee2f1ab423e1a55ed2293d25ec07df199

  • SHA512

    3d9386d155113727a9514a06a01f1c4b871a4101df24b58dfa923e5e93939c6f08eef10642e202366c70f6ce24f4848fd6f01089a202a7db438fe75579c24fb8

  • SSDEEP

    49152:Yks+4C6efeN0UVBj9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr7K:ynmoBG+92mbOH5zKn

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    81

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    RpFDfbzg

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1064
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2936
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2380
      • C:\Users\Admin\AppData\Local\Temp\2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe"
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2596
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2100
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hhaefcb\kefbdkh
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\hhaefcb\gccdgeg
        Filesize

        1KB

        MD5

        44afa5d5c6bc60379bddca2deedbaa97

        SHA1

        da213373a44a3cbbf855d1517b7f62302cf0dffb

        SHA256

        0d98ca66074a9371ea8726af4c565b8b8b31c174b4ccd2bed40a17537714a906

        SHA512

        b50689be5ebaad6fec16bd44507eb22c17dbcbdf7d71260993bf12aa0d7dd834f5a0b8d824320a811709407179f6b6d27160c13e28ecec9ea21f3f42a422e24f

        Download Submit

      • C:\ProgramData\hhaefcb\kefbdkh
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GDCCEeb
        Filesize

        32B

        MD5

        c4681928705285abcd8ec50bb2fcac58

        SHA1

        ae29e4ef0f639b0256207524c8fba7e702de9190

        SHA256

        b1b8122cc8ba8abd775c7d4891996624d25076a2a998dc8c38957d93df3da67d

        SHA512

        812556c57786b5837fb36e369d248008fc4abb79a3abc906d501629eaeac4d56fece4fbbfe61978dedc77d579b5f93496f6668a0c8267f788fc5f08c0d2b82b6

        Download Submit

      • C:\temp\efahced
        Filesize

        4B

        MD5

        d450918cbf7b93b2291769622522faf7

        SHA1

        67dce69993425e0a219c7a79d5a34346ba204964

        SHA256

        b0bca69e99cd47f2d96035f6ddeb34a595fdd2837035c148df920b4c7ddedd81

        SHA512

        c0bfcae373eb1a5e18c67f14b49af50f5c1f8c35f4273c42e8f1ee8cf41650c1eb52e3b8f07a6fd61deb9464b72ab5ea3d9e5bf2e1158b98abd2e61314fdd144

        Download Submit

      • C:\temp\eggfgdd
        Filesize

        4B

        MD5

        5484860ab3a219f76632eea0131a971a

        SHA1

        459891c3d903208bc778b76f309784e50a8e4e32

        SHA256

        1bbd348418e4db5a454b16563d6e62537f2482af2bf01d1ce41303db9b162129

        SHA512

        afbbf857080a974a6a414a228b6d591f7d1a74541e8b6f5099d6427a08dd916d05ba6631aeca4ca96563d73c78e31073af5c8ba08d9cc6b8d04b5f7632b92a97

        Download Submit

      • C:\temp\eggfgdd
        Filesize

        4B

        MD5

        6894b033753fc4c9de798a4d80384048

        SHA1

        c767050963276c6ad791a3ab872eb34d670a761a

        SHA256

        adfd4927347ddab24412245d2a06afe3dca8942761261e55b1466d336a094ac6

        SHA512

        0bcd9eb5d21b5150b44da84fbb43b875d18b461a5dacdfb945449877413e240c90996c609deaa506617b0da70a7340a516895f3a221871398cfed188eb31f6bb

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        583KB

        MD5

        88775a72836fe774935bc385593b97fb

        SHA1

        92c1273bab1554bac2b1fa8a97fe15b07df05800

        SHA256

        0a997520972c7d8d6307b9f61994176861deda21d0add170860831c554b54842

        SHA512

        18a882a0ff4718928be1076b31483bfe137df9378ef12dd885ad9e78b7e228d52b4f9ea984dbc253f588ad20b7fd40e2ce61250008956bc9f18892be234376bd

        Download Submit

      • \temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • memory/2100-25-0x00000000030B0000-0x0000000003405000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2100-12-0x00000000030B0000-0x0000000003405000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2100-11-0x0000000000930000-0x0000000000D30000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2380-34-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-28-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-24-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-35-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-36-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-37-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-38-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2380-40-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2596-1-0x0000000002100000-0x000000000227C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2596-7-0x0000000002100000-0x000000000227C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2936-39-0x0000000001D40000-0x00000000024E2000-memory.dmp

        Filesize

        7.6MB

        Download