darkgate | 75b9eac592a81b9b054af72f2c48d2522dd96beb4a0ef76d2568b5bdaf502db0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
Size

2.2MB
MD5

71fc0c381fb24027d7bb59d686915052
SHA1

ba644da7b5adf55d5912ec87f7ba20d811ec880c
SHA256

75b9eac592a81b9b054af72f2c48d2522dd96beb4a0ef76d2568b5bdaf502db0
SHA512

c1b79de5908ccd636dd2892babac16dc5f30ba2cb8578382b682a1cbbf565099ce3f5778fe67663791ba9249fc5c0bd9e63466a0d824bff3c37b17fb10107f6c
SSDEEP

49152:Yks+4C6efeN0UVBj9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr7n:ynmoBG+92mbOH5zKk

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
81
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
RpFDfbzg
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/2276-9-0x00000000044D0000-0x0000000004825000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-22-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2276-23-0x00000000044D0000-0x0000000004825000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-26-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-33-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-35-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-32-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-34-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-36-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6
behavioral2/memory/5060-37-0x0000000002500000-0x0000000002CA2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2724-38-0x0000000002DA0000-0x0000000003542000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2276 created 2712	2276	Autoit3.exe	45
PID 2724 created 2784	2724	GoogleUpdateCore.exe	46

Executes dropped EXE 1 IoCs

pid	Process
2276	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ekbkcdb = "\"C:\\ProgramData\\dhadcfd\\Autoit3.exe\" C:\\ProgramData\\dhadcfd\\dgfdehc.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ekbkcdb = "\"C:\\ProgramData\\dhadcfd\\Autoit3.exe\" C:\\ProgramData\\dhadcfd\\dgfdehc.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2276	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2276	Autoit3.exe
2276	Autoit3.exe
2276	Autoit3.exe
2276	Autoit3.exe
2724	GoogleUpdateCore.exe
2724	GoogleUpdateCore.exe
2724	GoogleUpdateCore.exe
2724	GoogleUpdateCore.exe
5060	GoogleUpdateCore.exe
5060	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4528	WMIC.exe
Token: SeSecurityPrivilege	4528	WMIC.exe
Token: SeTakeOwnershipPrivilege	4528	WMIC.exe
Token: SeLoadDriverPrivilege	4528	WMIC.exe
Token: SeSystemProfilePrivilege	4528	WMIC.exe
Token: SeSystemtimePrivilege	4528	WMIC.exe
Token: SeProfSingleProcessPrivilege	4528	WMIC.exe
Token: SeIncBasePriorityPrivilege	4528	WMIC.exe
Token: SeCreatePagefilePrivilege	4528	WMIC.exe
Token: SeBackupPrivilege	4528	WMIC.exe
Token: SeRestorePrivilege	4528	WMIC.exe
Token: SeShutdownPrivilege	4528	WMIC.exe
Token: SeDebugPrivilege	4528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4528	WMIC.exe
Token: SeRemoteShutdownPrivilege	4528	WMIC.exe
Token: SeUndockPrivilege	4528	WMIC.exe
Token: SeManageVolumePrivilege	4528	WMIC.exe
Token: 33	4528	WMIC.exe
Token: 34	4528	WMIC.exe
Token: 35	4528	WMIC.exe
Token: 36	4528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4528	WMIC.exe
Token: SeSecurityPrivilege	4528	WMIC.exe
Token: SeTakeOwnershipPrivilege	4528	WMIC.exe
Token: SeLoadDriverPrivilege	4528	WMIC.exe
Token: SeSystemProfilePrivilege	4528	WMIC.exe
Token: SeSystemtimePrivilege	4528	WMIC.exe
Token: SeProfSingleProcessPrivilege	4528	WMIC.exe
Token: SeIncBasePriorityPrivilege	4528	WMIC.exe
Token: SeCreatePagefilePrivilege	4528	WMIC.exe
Token: SeBackupPrivilege	4528	WMIC.exe
Token: SeRestorePrivilege	4528	WMIC.exe
Token: SeShutdownPrivilege	4528	WMIC.exe
Token: SeDebugPrivilege	4528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4528	WMIC.exe
Token: SeRemoteShutdownPrivilege	4528	WMIC.exe
Token: SeUndockPrivilege	4528	WMIC.exe
Token: SeManageVolumePrivilege	4528	WMIC.exe
Token: 33	4528	WMIC.exe
Token: 34	4528	WMIC.exe
Token: 35	4528	WMIC.exe
Token: 36	4528	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2276	4592	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	84
PID 4592 wrote to memory of 2276	4592	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	84
PID 4592 wrote to memory of 2276	4592	2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe	84
PID 2276 wrote to memory of 3728	2276	Autoit3.exe	85
PID 2276 wrote to memory of 3728	2276	Autoit3.exe	85
PID 2276 wrote to memory of 3728	2276	Autoit3.exe	85
PID 3728 wrote to memory of 4528	3728	cmd.exe	87
PID 3728 wrote to memory of 4528	3728	cmd.exe	87
PID 3728 wrote to memory of 4528	3728	cmd.exe	87
PID 2276 wrote to memory of 2724	2276	Autoit3.exe	92
PID 2276 wrote to memory of 2724	2276	Autoit3.exe	92
PID 2276 wrote to memory of 2724	2276	Autoit3.exe	92
PID 2276 wrote to memory of 2724	2276	Autoit3.exe	92
PID 2724 wrote to memory of 5060	2724	GoogleUpdateCore.exe	96
PID 2724 wrote to memory of 5060	2724	GoogleUpdateCore.exe	96
PID 2724 wrote to memory of 5060	2724	GoogleUpdateCore.exe	96
PID 2724 wrote to memory of 5060	2724	GoogleUpdateCore.exe	96

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2712
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2784
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5060

C:\Users\Admin\AppData\Local\Temp\2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-05_71fc0c381fb24027d7bb59d686915052_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dhadcfd\fkeeccc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dhadcfd\acekgea

Filesize
1KB

MD5
fb0ae320b26272951b7fe38712450382

SHA1
04af7e32ee07c5da3ec42c0515d7b29866677489

SHA256
e8f62309366de507a531ebc28c1f6ed315e7363698f56cff779ebbece3e81130

SHA512
9a35bcf14c2b8319e6c320433d88095d668738c89d7611074922eea1f737400406ef57761ad66a2b769159347cf235eb478b27fd5e5cb250f0fc667b3fb168d1

Download Submit
C:\ProgramData\dhadcfd\fkeeccc

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\KDbBadK

Filesize
32B

MD5
de9820efe54681f68d3f08412c6cb4a4

SHA1
f99064c687ab40e0d96cab263139b637e1543674

SHA256
917659bc951bf573b50f16267132b9034577d70b5132d0e986cf17cefc569db9

SHA512
6b15ce945c16789d3fc3bea1938ee89c71b6c9a86ced713b753fbdff661018ed473211e2f59f2159c6071ad618f6d4284b6dbcf0b5859da0d04d38341affbf87

Download Submit
C:\temp\bbgekdh

Filesize
4B

MD5
1512ea05d9f663985fb9b817c6050b19

SHA1
39b19aa831b17cb11a9a954da254b562d9d562c2

SHA256
127822bbef98f1d57bd2675bbe635f3090e63e5c8527de619084e270569f55d7

SHA512
74cc73427699a8e0004e58ec4ffa712e4d4d8b9772867399cde1d5d3f8fb3b159c09e29f8a5976abe15ce02d1bce28303ea9ee57d090a6ef0de2aca5c513538d

Download Submit
C:\temp\bbgekdh

Filesize
4B

MD5
feb67305611b0cea093bd6b2184f5323

SHA1
75ea386fd418d4a9d0a053b051374bf46eff7af2

SHA256
78fc15ef90218cc482cdff21bf9ab1a81a9fd9f2e34bf5b72aa812e3e065ff84

SHA512
746e47d95c6e66265db1f2ce42a581c5cd81b07392223c16abaecba4c3fae1eb76968d401db09101563426199495d79f076b4b1ddab0aff05c35194c34c3128f

Download Submit
C:\temp\dceaedf

Filesize
4B

MD5
3736ebd0de204b6a205b5c11e2f1898b

SHA1
abec2c20f9273cd1cee8195c2ce7457b5e6315e3

SHA256
ff99c094e6e0edf31b40b9506861deaa4b5ca19e5eec80880a8a122d50542c4c

SHA512
11308382430b8d3851746abf1270bd8bac8058bece9827cd61e41a4594974ec037600b61683da0a82c4c9ba2bc0dbe2a35461c4e2fe9208aa76b501b4d1e77c1

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
583KB

MD5
88775a72836fe774935bc385593b97fb

SHA1
92c1273bab1554bac2b1fa8a97fe15b07df05800

SHA256
0a997520972c7d8d6307b9f61994176861deda21d0add170860831c554b54842

SHA512
18a882a0ff4718928be1076b31483bfe137df9378ef12dd885ad9e78b7e228d52b4f9ea984dbc253f588ad20b7fd40e2ce61250008956bc9f18892be234376bd

Download Submit
memory/2276-23-0x00000000044D0000-0x0000000004825000-memory.dmp

Filesize
3.3MB

Download
memory/2276-9-0x00000000044D0000-0x0000000004825000-memory.dmp

Filesize
3.3MB

Download
memory/2276-8-0x0000000001110000-0x0000000001510000-memory.dmp

Filesize
4.0MB

Download
memory/2724-33-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-26-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-22-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-35-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-32-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-34-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-36-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/2724-38-0x0000000002DA0000-0x0000000003542000-memory.dmp

Filesize
7.6MB

Download
memory/4592-1-0x0000000002680000-0x00000000027FC000-memory.dmp

Filesize
1.5MB

Download
memory/4592-5-0x0000000002680000-0x00000000027FC000-memory.dmp

Filesize
1.5MB

Download
memory/5060-37-0x0000000002500000-0x0000000002CA2000-memory.dmp

Filesize
7.6MB

Download