darkgate | aa3eea04ceaac6970579df2e8e3d344ee2f1ab423e1a55ed2293d25ec07df199

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe
Size

2.2MB
MD5

bedc3ce52514ed4a3ac79e5b27a7b416
SHA1

c2f9df1466d8825fc7c4603c6570fab91b456a5c
SHA256

aa3eea04ceaac6970579df2e8e3d344ee2f1ab423e1a55ed2293d25ec07df199
SHA512

3d9386d155113727a9514a06a01f1c4b871a4101df24b58dfa923e5e93939c6f08eef10642e202366c70f6ce24f4848fd6f01089a202a7db438fe75579c24fb8
SSDEEP

49152:Yks+4C6efeN0UVBj9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr7K:ynmoBG+92mbOH5zKn

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
81
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
RpFDfbzg
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/1244-9-0x00000000041A0000-0x00000000044F5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-22-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/1244-23-0x00000000041A0000-0x00000000044F5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-26-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-33-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-34-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-36-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-35-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-32-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6
behavioral2/memory/2784-37-0x0000000002A30000-0x00000000031D2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3060-38-0x0000000002380000-0x0000000002B22000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1244 created 2488	1244	Autoit3.exe	42
PID 3060 created 3992	3060	GoogleUpdateCore.exe	60

Executes dropped EXE 1 IoCs

pid	Process
1244	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcackaf = "\"C:\\ProgramData\\cdghdeb\\Autoit3.exe\" C:\\ProgramData\\cdghdeb\\bkchchg.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcackaf = "\"C:\\ProgramData\\cdghdeb\\Autoit3.exe\" C:\\ProgramData\\cdghdeb\\bkchchg.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
1244	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1244	Autoit3.exe
1244	Autoit3.exe
1244	Autoit3.exe
1244	Autoit3.exe
3060	GoogleUpdateCore.exe
3060	GoogleUpdateCore.exe
3060	GoogleUpdateCore.exe
3060	GoogleUpdateCore.exe
2784	GoogleUpdateCore.exe
2784	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: 36	2588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2588	WMIC.exe
Token: SeSecurityPrivilege	2588	WMIC.exe
Token: SeTakeOwnershipPrivilege	2588	WMIC.exe
Token: SeLoadDriverPrivilege	2588	WMIC.exe
Token: SeSystemProfilePrivilege	2588	WMIC.exe
Token: SeSystemtimePrivilege	2588	WMIC.exe
Token: SeProfSingleProcessPrivilege	2588	WMIC.exe
Token: SeIncBasePriorityPrivilege	2588	WMIC.exe
Token: SeCreatePagefilePrivilege	2588	WMIC.exe
Token: SeBackupPrivilege	2588	WMIC.exe
Token: SeRestorePrivilege	2588	WMIC.exe
Token: SeShutdownPrivilege	2588	WMIC.exe
Token: SeDebugPrivilege	2588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2588	WMIC.exe
Token: SeRemoteShutdownPrivilege	2588	WMIC.exe
Token: SeUndockPrivilege	2588	WMIC.exe
Token: SeManageVolumePrivilege	2588	WMIC.exe
Token: 33	2588	WMIC.exe
Token: 34	2588	WMIC.exe
Token: 35	2588	WMIC.exe
Token: 36	2588	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1244	5072	2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe	86
PID 5072 wrote to memory of 1244	5072	2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe	86
PID 5072 wrote to memory of 1244	5072	2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe	86
PID 1244 wrote to memory of 2896	1244	Autoit3.exe	91
PID 1244 wrote to memory of 2896	1244	Autoit3.exe	91
PID 1244 wrote to memory of 2896	1244	Autoit3.exe	91
PID 2896 wrote to memory of 2588	2896	cmd.exe	93
PID 2896 wrote to memory of 2588	2896	cmd.exe	93
PID 2896 wrote to memory of 2588	2896	cmd.exe	93
PID 1244 wrote to memory of 3060	1244	Autoit3.exe	96
PID 1244 wrote to memory of 3060	1244	Autoit3.exe	96
PID 1244 wrote to memory of 3060	1244	Autoit3.exe	96
PID 1244 wrote to memory of 3060	1244	Autoit3.exe	96
PID 3060 wrote to memory of 2784	3060	GoogleUpdateCore.exe	97
PID 3060 wrote to memory of 2784	3060	GoogleUpdateCore.exe	97
PID 3060 wrote to memory of 2784	3060	GoogleUpdateCore.exe	97
PID 3060 wrote to memory of 2784	3060	GoogleUpdateCore.exe	97

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2488
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

C:\Users\Admin\AppData\Local\Temp\2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-04_bedc3ce52514ed4a3ac79e5b27a7b416_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1244
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\cdghdeb\ceeabea
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cdghdeb\cbehghe

Filesize
1KB

MD5
77a3235ebe5e78ae397ce7ab172bd671

SHA1
8608efde0fa219d8a84339285dcbcbdd9ccbb62c

SHA256
414e64c899f32643f96a9448d09aed74897e40cfce9fdca195a86975ee036c66

SHA512
59e01cc11576421a9a2ddfb0adbc861de9c46e44701d7f003b2e6a34d90b6b3679a0f1c61a68f748ad2518dd2cbeb0b939d4f22ddc9c7f6466a5f95e497d0f40

Download Submit
C:\ProgramData\cdghdeb\ceeabea

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\GbcfHbD

Filesize
32B

MD5
c1d71e3d7ece0efd01e226b9aa069fd2

SHA1
bfc7fb87c5e4add1f52eeb0ab3c8df1522811760

SHA256
1efb9cd265f5de5a60d66fd44dc518709012b8e9c7af161b29bcf2b346367469

SHA512
00100535ad96436c8970ef834ae053706c7c90b7bdce1d984b165083d348b7ac63331bf5049d580ef1e122a2c8c069f537ad5a871237255f81089f13ec8d3255

Download Submit
C:\temp\agdkech

Filesize
4B

MD5
d548b78c1e0b7da0ea7a02a55098d394

SHA1
fabe04214f3f3afde071e1c82782d73a1a67b04d

SHA256
95a34ce2365a2bb36369bc1d4e214409c65344364209e4ac7e0f440749bfcbf4

SHA512
b7d5425c586edd4b26cfdefda053f5bb520ac0ce7e4ac9de6b398c6baed489e9bd9600910b9f09cff8987f0abe8ad430a87eba8aa99080552304d8d3c55c30e8

Download Submit
C:\temp\ggehkda

Filesize
4B

MD5
3eda1a839d3eaf57302f8bdced7184f9

SHA1
4f42441f285aa7821e023e4f8dcb68c56cc6ae1a

SHA256
7c8e6f25666863652e98e078a1f35b9e8e8292905a68ff09f698bae214c253e5

SHA512
c214153489db235a166ddf5990577156b6c4cd33e3ffb94cff48817e7a5914c2a6a204a83d47bc741aea2c49d4ba675456f9215babed0b6d73156d6b3504e502

Download Submit
C:\temp\ggehkda

Filesize
4B

MD5
9cdf5d384cb451286bfb9dba00f17408

SHA1
ddf9b0e2a8b9c55650cf450067ab6ceb53780af2

SHA256
d5a9b28c1482377a8358380a3d2341d5f9277fdfb7698ce1c1da992968123355

SHA512
3b641000f93cb98d8b2f7d423c640a68ea21f0f8fe86e9cd428feff042e986e1a1a15dac7a7707e32c2abb9cb1763331c908b8a9659f5f9174a6609b96bb4eec

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
583KB

MD5
88775a72836fe774935bc385593b97fb

SHA1
92c1273bab1554bac2b1fa8a97fe15b07df05800

SHA256
0a997520972c7d8d6307b9f61994176861deda21d0add170860831c554b54842

SHA512
18a882a0ff4718928be1076b31483bfe137df9378ef12dd885ad9e78b7e228d52b4f9ea984dbc253f588ad20b7fd40e2ce61250008956bc9f18892be234376bd

Download Submit
memory/1244-23-0x00000000041A0000-0x00000000044F5000-memory.dmp

Filesize
3.3MB

Download
memory/1244-9-0x00000000041A0000-0x00000000044F5000-memory.dmp

Filesize
3.3MB

Download
memory/1244-8-0x00000000012B0000-0x00000000016B0000-memory.dmp

Filesize
4.0MB

Download
memory/2784-37-0x0000000002A30000-0x00000000031D2000-memory.dmp

Filesize
7.6MB

Download
memory/3060-33-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-26-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-22-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-34-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-36-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-35-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-32-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/3060-38-0x0000000002380000-0x0000000002B22000-memory.dmp

Filesize
7.6MB

Download
memory/5072-5-0x0000000002610000-0x000000000278C000-memory.dmp

Filesize
1.5MB

Download
memory/5072-1-0x0000000002610000-0x000000000278C000-memory.dmp

Filesize
1.5MB

Download