darkgate | 75b9eac592a81b9b054af72f2c48d2522dd96beb4a0ef76d2568b5bdaf502db0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
Size

2.2MB
MD5

71fc0c381fb24027d7bb59d686915052
SHA1

ba644da7b5adf55d5912ec87f7ba20d811ec880c
SHA256

75b9eac592a81b9b054af72f2c48d2522dd96beb4a0ef76d2568b5bdaf502db0
SHA512

c1b79de5908ccd636dd2892babac16dc5f30ba2cb8578382b682a1cbbf565099ce3f5778fe67663791ba9249fc5c0bd9e63466a0d824bff3c37b17fb10107f6c
SSDEEP

49152:Yks+4C6efeN0UVBj9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr7n:ynmoBG+92mbOH5zKk

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
81
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
RpFDfbzg
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral1/memory/1964-12-0x0000000003060000-0x00000000033B5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-24-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/1964-25-0x0000000003060000-0x00000000033B5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-28-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-34-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-37-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-36-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-38-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-35-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6
behavioral1/memory/2904-39-0x0000000001ED0000-0x0000000002672000-memory.dmp	family_darkgate_v6
behavioral1/memory/2308-40-0x0000000001EC0000-0x0000000002662000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1964 created 1072	1964	Autoit3.exe	17
PID 2308 created 1084	2308	GoogleUpdateCore.exe	18

Executes dropped EXE 1 IoCs

pid	Process
1964	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\hghadhg = "\"C:\\ProgramData\\gackfdh\\Autoit3.exe\" C:\\ProgramData\\gackfdh\\eebggha.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\hghadhg = "\"C:\\ProgramData\\gackfdh\\Autoit3.exe\" C:\\ProgramData\\gackfdh\\eebggha.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
1964	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1964	Autoit3.exe
1964	Autoit3.exe
2308	GoogleUpdateCore.exe
2308	GoogleUpdateCore.exe
2904	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2308	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2260	WMIC.exe
Token: SeSecurityPrivilege	2260	WMIC.exe
Token: SeTakeOwnershipPrivilege	2260	WMIC.exe
Token: SeLoadDriverPrivilege	2260	WMIC.exe
Token: SeSystemProfilePrivilege	2260	WMIC.exe
Token: SeSystemtimePrivilege	2260	WMIC.exe
Token: SeProfSingleProcessPrivilege	2260	WMIC.exe
Token: SeIncBasePriorityPrivilege	2260	WMIC.exe
Token: SeCreatePagefilePrivilege	2260	WMIC.exe
Token: SeBackupPrivilege	2260	WMIC.exe
Token: SeRestorePrivilege	2260	WMIC.exe
Token: SeShutdownPrivilege	2260	WMIC.exe
Token: SeDebugPrivilege	2260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2260	WMIC.exe
Token: SeRemoteShutdownPrivilege	2260	WMIC.exe
Token: SeUndockPrivilege	2260	WMIC.exe
Token: SeManageVolumePrivilege	2260	WMIC.exe
Token: 33	2260	WMIC.exe
Token: 34	2260	WMIC.exe
Token: 35	2260	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1964	2444	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	31
PID 2444 wrote to memory of 1964	2444	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	31
PID 2444 wrote to memory of 1964	2444	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	31
PID 2444 wrote to memory of 1964	2444	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	31
PID 1964 wrote to memory of 2424	1964	Autoit3.exe	32
PID 1964 wrote to memory of 2424	1964	Autoit3.exe	32
PID 1964 wrote to memory of 2424	1964	Autoit3.exe	32
PID 1964 wrote to memory of 2424	1964	Autoit3.exe	32
PID 2424 wrote to memory of 2260	2424	cmd.exe	34
PID 2424 wrote to memory of 2260	2424	cmd.exe	34
PID 2424 wrote to memory of 2260	2424	cmd.exe	34
PID 2424 wrote to memory of 2260	2424	cmd.exe	34
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 1964 wrote to memory of 2308	1964	Autoit3.exe	36
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37
PID 2308 wrote to memory of 2904	2308	GoogleUpdateCore.exe	37

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1072
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2308

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1084
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

C:\Users\Admin\AppData\Local\Temp\2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\gackfdh\aehefhh
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gackfdh\aehefhh

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\gackfdh\cekedbc

Filesize
1KB

MD5
5acb79533605f8fe69106156910c55c3

SHA1
5505f19a7332b292bbac48633c6fcccd3c9b250a

SHA256
d3deed3da81b928ebf357373209e1ec1254686690b1b91aeff860d53821778f6

SHA512
4bab90479b1c9783281c7167969c346c7a026d51274352a8d9171309796f3fe01cd6e1d8853b8a89864c425e74e7f904937a51ac965298707d33ff8a5ae70ebe

Download Submit
C:\Users\Admin\AppData\Roaming\fFeHfAa

Filesize
32B

MD5
f4051e3f4136fee34ffbec1727ae8c4c

SHA1
b0733cea1845abfdcb00788a82ad5cd7cb8c1931

SHA256
964434d8501eedfc3582aeb24c830a796f606c90506ccd3aea341aaa4b33c91a

SHA512
3a06556ae65897d6ae9bd49cd636cb9b674a57f1d62d0ae2ff659311b08d4d5fc488864de39fadb0d72a08b99c27f4c9b4978a67635ca559c76cba9d5cfda2e3

Download Submit
C:\temp\dgfeaaf

Filesize
4B

MD5
0f49bb364e1d724d24293736ef82ce28

SHA1
b01461f9469fcf73787fc437cd156a993b705764

SHA256
4f0c3c967e9a7a41efd66bb3db165b2b951acbe1710dcd59141d224720af9c56

SHA512
f3a6ac468e8ed4b00d547b0d8e525620c058e4fb362c38a0ee2ebbfad2c21a432494908e633918cd35853140757224c7e7a26b5dc9680c6986c6299775edbf80

Download Submit
C:\temp\kadkedc

Filesize
4B

MD5
5d8bee9ffcb59a8db19970133fd3fc49

SHA1
4bca60870ddc451b2ac250e745f9b1474213f2d7

SHA256
23130f265d1be5fe5dc8165eebaebc8ad9bd293be1501b0ced22c7b39d0cfc04

SHA512
d3f23fbd49a1c432f6c48bfee3c8c5f3286026819884ad81c8ce3f2b69bd060d2e78132524bc48b181c6e14a65ccc699d8b91a52748e16a6f5addd8d8f2d4797

Download Submit
C:\temp\kadkedc

Filesize
4B

MD5
9db89553fd03388f675c464504767858

SHA1
61919f24c81633a194c02a82d51ec4fcc3376624

SHA256
70032774d568e10d02f8e7f43ff42c32128cdbfc1212fd22f187983586fef7fa

SHA512
8afa1018cdd82d193564cc184a4c0a2fe70c44c85d1941f5d6b14a4ce528cebab47450249d9bb009561645dd260ca8c4c7bda0c06eb1e54f8fd8bfc47283c9ad

Download Submit
\??\c:\temp\test\script.a3x

Filesize
583KB

MD5
88775a72836fe774935bc385593b97fb

SHA1
92c1273bab1554bac2b1fa8a97fe15b07df05800

SHA256
0a997520972c7d8d6307b9f61994176861deda21d0add170860831c554b54842

SHA512
18a882a0ff4718928be1076b31483bfe137df9378ef12dd885ad9e78b7e228d52b4f9ea984dbc253f588ad20b7fd40e2ce61250008956bc9f18892be234376bd

Download Submit
\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1964-25-0x0000000003060000-0x00000000033B5000-memory.dmp

Filesize
3.3MB

Download
memory/1964-12-0x0000000003060000-0x00000000033B5000-memory.dmp

Filesize
3.3MB

Download
memory/1964-11-0x0000000000B70000-0x0000000000F70000-memory.dmp

Filesize
4.0MB

Download
memory/2308-34-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-28-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-24-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-37-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-36-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-38-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-35-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2308-40-0x0000000001EC0000-0x0000000002662000-memory.dmp

Filesize
7.6MB

Download
memory/2444-1-0x0000000002160000-0x00000000022DC000-memory.dmp

Filesize
1.5MB

Download
memory/2444-7-0x0000000002160000-0x00000000022DC000-memory.dmp

Filesize
1.5MB

Download
memory/2904-39-0x0000000001ED0000-0x0000000002672000-memory.dmp

Filesize
7.6MB

Download