Overview

overview

10

Static

static

1

cc8ee15ab9...bf.exe

windows7-x64

10

cc8ee15ab9...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe

  • Size

    2.4MB

  • MD5

    08b84d93da7f0a79a714aab3ba651043

  • SHA1

    7cb73f3c67452af9e6ad8475e6df01f19776ac35

  • SHA256

    cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf

  • SHA512

    2364786da228dac5dae29faeffee75547447049e227cfc96acb162603c7ed3a885324508603f916ed7e8a6d62695c4b6c23837afa4d404e2f93df873d794d846

  • SSDEEP

    49152:FTkw3cuEwOveoCFltsl4gd257wr8XyIaRCjQuBAk/Z7hjVHgoOJVFFfN:yw3EwOjCFlte4g8xwrObtU9k/Z7hpgFl

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    wJwfUFVH

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2396
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1520
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3820
        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
          2⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3892
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3908
        • C:\Users\Admin\AppData\Local\Temp\cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe
          "C:\Users\Admin\AppData\Local\Temp\cc8ee15ab960c8421f9b556883a5006d713d5cde92fce31c027df5caf15b04bf.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1216
          • \??\c:\temp\test\Autoit3.exe
            "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Command and Scripting Interpreter: AutoIT
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5104
            • \??\c:\windows\SysWOW64\cmd.exe
              "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bbdhefe\egfbgkc
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3560
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic ComputerSystem get domain
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\bbdhefe\effbgfk
          Filesize

          1KB

          MD5

          e893fefe11dd3bf710e793f813977202

          SHA1

          e045da1154139fa326f6e450d56264d890191a24

          SHA256

          3588e414c9fe8ec3a4d09e8eafcee0c80bc1893ba99bfc4387f65ebe6cfaa537

          SHA512

          967eacb6ec5b03855d4e7abacc0a47bf515e314a316e5604954feb84af7a9f50f97bbc521f2fd0634aa3c563c6e7ff3fa6fabd3cfcdab0041826eb0efaa6e845

          Download Submit

        • C:\ProgramData\bbdhefe\egfbgkc
          Filesize

          54B

          MD5

          c8bbad190eaaa9755c8dfb1573984d81

          SHA1

          17ad91294403223fde66f687450545a2bad72af5

          SHA256

          7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

          SHA512

          05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\eehKdEK
          Filesize

          32B

          MD5

          702d2b487eaaa68b84ed0277d6680461

          SHA1

          17467bce416b586287aae303f889f2b5364a8e21

          SHA256

          81565d87d7eece997548004eef8c9f5fce6dcd4b73127281a12da14ac43e4d54

          SHA512

          9e88a03e42f7b1ceba6b46dee5db12cf8562b0e14a4965b01766893fd0c1050f5fa7b5a8180f233e93b47f400caaa344c31054a9e9d4f6abec8aa68da5e2be4c

          Download Submit

        • C:\temp\fcdekcc
          Filesize

          4B

          MD5

          bb02977739d8645e67fd91aa80b43f0a

          SHA1

          5c690cff59a5f37f97f0687355fc16fd630af595

          SHA256

          5cd4461e92f4e34b6799ad0680dc7849ac12ea80ccf51e0ba0e4106dd95a99e5

          SHA512

          f320660c5eac204bdb4cacf0af4eceecd58c460f82ed9c8eb49e443e89d981a186dcb0e09bc1370ba5a9b2f11194cf976a72aedf5b9011ec8e3d4223114a48a1

          Download Submit

        • C:\temp\fcdekcc
          Filesize

          4B

          MD5

          cd4b3d362b048fd7901b402906287d24

          SHA1

          6f7e735e145d9f86a8c2f361bca253023ccbdb77

          SHA256

          695cdd8f06e12cfded3334eadf8aced36c768a3de3795f5efcfc797e63fa2e02

          SHA512

          04246060abc31010aab5bdb0a1b125c0e077cc036d35c55e6605e94ec23426d536646025f0efbbea0a7d5f849f43e3cb56df0fd307d4ac9f8b88a043faa64bbe

          Download Submit

        • C:\temp\hdfahab
          Filesize

          4B

          MD5

          4439895e1118b6d8c9c998d3dc27a157

          SHA1

          8407123aca960c3ab465f6e8d324ad7dcb8cdfe8

          SHA256

          b5da4abb6ecfb428a05eb2ae181aed0a15df45ec30df2ebcdd4c3cda516c2865

          SHA512

          88b27900b7f78c05c9b9e24e893a48fa92c4e241779de24890f97c4de95a460edd8b034f0b60138dd65e4551e29c853aafebd649c9227ba6dba2811c37ab9d8a

          Download Submit

        • C:\temp\test\Autoit3.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • \??\c:\temp\test\script.a3x
          Filesize

          583KB

          MD5

          8aaf978b7a7ff429ed66f80fccf3ccfa

          SHA1

          083d1464ad22918188d34e915ce4056bfe4f8b51

          SHA256

          1d328b6c76e4260f117a87be8e1a0442b6e83106b6fff7bd0bebbbff81b5f427

          SHA512

          80e32e28684cfa64c0c4e081f0a178b27db9ad10f74fc03734d4b37434770be30e544a0939cb4763af0c8bd429e745846cfb434211716a6b883f9c2b1404c039

          Download Submit

        • memory/1216-6-0x0000000000400000-0x0000000000AE8000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1216-2-0x0000000002B40000-0x0000000002CBC000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-7-0x0000000002B40000-0x0000000002CBC000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-0-0x0000000000400000-0x0000000000AE8000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1520-27-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1520-33-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1520-35-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1520-36-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1520-34-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1520-37-0x0000000002E40000-0x00000000035E2000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/3892-38-0x0000000002360000-0x0000000002B02000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/5104-24-0x0000000004AE0000-0x0000000004E35000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5104-11-0x0000000004AE0000-0x0000000004E35000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5104-10-0x00000000017B0000-0x0000000001BB0000-memory.dmp

          Filesize

          4.0MB

          Download