Overview

overview

10

Static

static

1

cc8ee15ab9...bf.exe

windows7-x64

10

cc8ee15ab9...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe

  • Size

    2.4MB

  • MD5

    08b84d93da7f0a79a714aab3ba651043

  • SHA1

    7cb73f3c67452af9e6ad8475e6df01f19776ac35

  • SHA256

    cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf

  • SHA512

    2364786da228dac5dae29faeffee75547447049e227cfc96acb162603c7ed3a885324508603f916ed7e8a6d62695c4b6c23837afa4d404e2f93df873d794d846

  • SSDEEP

    49152:FTkw3cuEwOveoCFltsl4gd257wr8XyIaRCjQuBAk/Z7hjVHgoOJVFFfN:yw3EwOjCFlte4g8xwrObtU9k/Z7hpgFl

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    wJwfUFVH

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1044
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2636
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1068
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2780
      • C:\Users\Admin\AppData\Local\Temp\cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe
        "C:\Users\Admin\AppData\Local\Temp\cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe"
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2288
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\acccgfa\dcddbbg
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2460
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2868

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\acccgfa\dcddbbg
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\acccgfa\ggfabde
        Filesize

        1KB

        MD5

        11dc32753dd2cdf56ed9027e55f1e3d7

        SHA1

        b5fbf8e168dbc21b6602b2ed2236d1d983c8ce58

        SHA256

        4fe6b347f91ba3344656345f5194237ef9ad9f1b3d4e77cf761f50922e2cf74d

        SHA512

        0b5faea841c5cc0e27fff458793407a8a06f1c63489052d2ae8d52c45d25abf7b068827ad4cfc97cb222538bd407a684cc1dcbf32251325b98d60d2cd1832a57

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AdfKedB
        Filesize

        32B

        MD5

        3ce7c4cfb6fff5e296d6cc9b927fc234

        SHA1

        58ea7cc2b8926bc39eaa92a7374d762639c4ad4a

        SHA256

        f0468515cda8bd6d41c949538c89de36205192b55b08331e13213381e892fd19

        SHA512

        c164df2010a4599c9410090ba0f6cda4b60a13760e2831f1f9565a6871c64fb209f69eedf6084c281610c264f932bfa94f7892300bd001e60fd56e96fe6d8649

        Download Submit

      • C:\temp\afcbggg
        Filesize

        4B

        MD5

        0b0ea4909cc664276ba2d942f78f8223

        SHA1

        98d360ad1dbe62351c4910ccca768db5eb7c4348

        SHA256

        31928b54b96a97a3f93dfd39a6952e85d43e63ca04a99c49e86ae144df635c5e

        SHA512

        06bba7a0b5762f0d3f8f29078ab83502d225da9cded559ba4a56763204e6315dee844d004ee1793b3377fe519aebd3318f924ee915d8570c039dc6bf5f43d727

        Download Submit

      • C:\temp\fhffdch
        Filesize

        4B

        MD5

        54bfe141f485a528ea47147e5316f498

        SHA1

        fc631491ec965eba024523bd6334004952cb682b

        SHA256

        42fe9c6ac82d1180e8aa08e5b40d78ba749639373a79d8966ef2b02f5a19153b

        SHA512

        614699f17faed3c68d08c8d55cad3667dbf8037935fba636a56f6f89bdb48a0a7115eae83cd83f75e795f300e7691f612dd0bc7e968a366598ec416ab58a33ee

        Download Submit

      • C:\temp\fhffdch
        Filesize

        4B

        MD5

        e1eb8394ce1beea7f7ead3480611d1e0

        SHA1

        f660597c4d6fd982226ef984be2a864d9bb74744

        SHA256

        196ea8b028ed48d4a3697df812d157afca6e02fd1cd05eeae44ae8a9ea797548

        SHA512

        4a163e7f2ba856bb2b2527b5e7b85827b213dc462f163d3633cdcaeb31fd028d74ed412367895cb82c0aefba5201218031e655a7b8a5c772e6f2f253967ab74a

        Download Submit

      • C:\temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        583KB

        MD5

        8aaf978b7a7ff429ed66f80fccf3ccfa

        SHA1

        083d1464ad22918188d34e915ce4056bfe4f8b51

        SHA256

        1d328b6c76e4260f117a87be8e1a0442b6e83106b6fff7bd0bebbbff81b5f427

        SHA512

        80e32e28684cfa64c0c4e081f0a178b27db9ad10f74fc03734d4b37434770be30e544a0939cb4763af0c8bd429e745846cfb434211716a6b883f9c2b1404c039

        Download Submit

      • memory/1840-2-0x00000000027D0000-0x000000000294C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1840-9-0x0000000000400000-0x0000000000AE8000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1840-10-0x00000000027D0000-0x000000000294C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1840-0-0x0000000000400000-0x0000000000AE8000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2288-14-0x0000000002FE0000-0x0000000003335000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2288-13-0x0000000000D80000-0x0000000001180000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2288-26-0x0000000002FE0000-0x0000000003335000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2636-40-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-29-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-35-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-36-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-38-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-39-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2780-37-0x0000000002000000-0x00000000027A2000-memory.dmp

        Filesize

        7.6MB

        Download