darkgate | 476cc1cc38157e647526ed2c8b295abe68e316c05ad33796b4df0a0b20f9a11d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe
Size

4.5MB
MD5

89431de4fd8ed4f4cc9ed7e55057580f
SHA1

a00e9a3a4f7ded604b8b739db6c8de22ae5a9c58
SHA256

476cc1cc38157e647526ed2c8b295abe68e316c05ad33796b4df0a0b20f9a11d
SHA512

cebca184d9ce7f2e9e5dd10c6d0137ecc763d6a69d6d21b297286de020e93099b3d7be6c215cd2b3289c11aa4de0cd3cea860c4a37c3f9c0bde1bd90f5dc41e4
SSDEEP

98304:bFO4oV0MYjRj6N/MftXyfSoQdATd/2kUs8SN43:bFOjVLYjR2NiXwSoOAB/2Rs8SN4

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
XqDIpWGY
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral1/memory/2776-18-0x0000000003060000-0x00000000033B5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2776-30-0x0000000003060000-0x00000000033B5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-33-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-40-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-41-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-39-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-42-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2856-43-0x0000000001E20000-0x00000000025C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/3016-44-0x0000000001DD0000-0x0000000002572000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2776 created 1824	2776	Autoit3.exe	25
PID 2856 created 1072	2856	GoogleUpdateCore.exe	17

Executes dropped EXE 1 IoCs

pid	Process
2776	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\hhcebde = "\"C:\\ProgramData\\fehegec\\Autoit3.exe\" C:\\ProgramData\\fehegec\\cfekchc.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\hhcebde = "\"C:\\ProgramData\\fehegec\\Autoit3.exe\" C:\\ProgramData\\fehegec\\cfekchc.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2776	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2776	Autoit3.exe
2776	Autoit3.exe
2856	GoogleUpdateCore.exe
2856	GoogleUpdateCore.exe
3016	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2856	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2296	WMIC.exe
Token: SeSecurityPrivilege	2296	WMIC.exe
Token: SeTakeOwnershipPrivilege	2296	WMIC.exe
Token: SeLoadDriverPrivilege	2296	WMIC.exe
Token: SeSystemProfilePrivilege	2296	WMIC.exe
Token: SeSystemtimePrivilege	2296	WMIC.exe
Token: SeProfSingleProcessPrivilege	2296	WMIC.exe
Token: SeIncBasePriorityPrivilege	2296	WMIC.exe
Token: SeCreatePagefilePrivilege	2296	WMIC.exe
Token: SeBackupPrivilege	2296	WMIC.exe
Token: SeRestorePrivilege	2296	WMIC.exe
Token: SeShutdownPrivilege	2296	WMIC.exe
Token: SeDebugPrivilege	2296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2296	WMIC.exe
Token: SeRemoteShutdownPrivilege	2296	WMIC.exe
Token: SeUndockPrivilege	2296	WMIC.exe
Token: SeManageVolumePrivilege	2296	WMIC.exe
Token: 33	2296	WMIC.exe
Token: 34	2296	WMIC.exe
Token: 35	2296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2296	WMIC.exe
Token: SeSecurityPrivilege	2296	WMIC.exe
Token: SeTakeOwnershipPrivilege	2296	WMIC.exe
Token: SeLoadDriverPrivilege	2296	WMIC.exe
Token: SeSystemProfilePrivilege	2296	WMIC.exe
Token: SeSystemtimePrivilege	2296	WMIC.exe
Token: SeProfSingleProcessPrivilege	2296	WMIC.exe
Token: SeIncBasePriorityPrivilege	2296	WMIC.exe
Token: SeCreatePagefilePrivilege	2296	WMIC.exe
Token: SeBackupPrivilege	2296	WMIC.exe
Token: SeRestorePrivilege	2296	WMIC.exe
Token: SeShutdownPrivilege	2296	WMIC.exe
Token: SeDebugPrivilege	2296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2296	WMIC.exe
Token: SeRemoteShutdownPrivilege	2296	WMIC.exe
Token: SeUndockPrivilege	2296	WMIC.exe
Token: SeManageVolumePrivilege	2296	WMIC.exe
Token: 33	2296	WMIC.exe
Token: 34	2296	WMIC.exe
Token: 35	2296	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2776	2656	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	30
PID 2656 wrote to memory of 2776	2656	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	30
PID 2656 wrote to memory of 2776	2656	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	30
PID 2656 wrote to memory of 2776	2656	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	30
PID 2776 wrote to memory of 2092	2776	Autoit3.exe	31
PID 2776 wrote to memory of 2092	2776	Autoit3.exe	31
PID 2776 wrote to memory of 2092	2776	Autoit3.exe	31
PID 2776 wrote to memory of 2092	2776	Autoit3.exe	31
PID 2092 wrote to memory of 2296	2092	cmd.exe	33
PID 2092 wrote to memory of 2296	2092	cmd.exe	33
PID 2092 wrote to memory of 2296	2092	cmd.exe	33
PID 2092 wrote to memory of 2296	2092	cmd.exe	33
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2776 wrote to memory of 2856	2776	Autoit3.exe	35
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37
PID 2856 wrote to memory of 3016	2856	GoogleUpdateCore.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1824
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2856

C:\Users\Admin\AppData\Local\Temp\2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2776
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fehegec\dcbfccd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fehegec\cdekecc

Filesize
1KB

MD5
7a567343a9233f7504574bb965299d1f

SHA1
3a5a60a0e277bd997ba30bb2d952536e5c083d5d

SHA256
6b1b2a58cd5ac3cb2bc02fb0b135fcabee7b48c0cc893090b9fdc110e0da86e9

SHA512
86c75cffd9f1545f379688fe4d59b8794f58fdfe9498cddd66b5381093f0275cc14a28a105f5dc229379475613c2b3e9e01db9c179848883ca9ba85aed1b3221

Download Submit
C:\ProgramData\fehegec\dcbfccd

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\EAfEEDH

Filesize
32B

MD5
bbb4b960b2b88d53715f0933f552fc25

SHA1
37fe84819d285d22567148492c45fc9e4b133198

SHA256
623730c0eb5acc69e512dc3775315417a3dd1ed71efdf279939b650a18d09a0a

SHA512
29a4d3be25b14aac6ec387fbab8ebf1fef5fc7e84f95cd38093c217cb72473fd1eb6b454515a92d0cf083b1a40f22f6fa988f8a8bc689220120716963512958c

Download Submit
C:\temp\bfkaabe

Filesize
4B

MD5
5def3cd62a5a37515d6b8d2652ce250b

SHA1
d2af952d9cd45e335ef2f0aa3676cb22389155e0

SHA256
24a0e134d9ef4317a52f599c50fcb1ff8a3ae8986169d90ce4f400f3319bf970

SHA512
61b5d0fea03bd0e5976928f633d0779167901916063467a6a2411536451011c2b93fea7ea555241dd23110843e0e993bb5c5075ac53c293339d58395a7324c7a

Download Submit
C:\temp\fhckdae

Filesize
4B

MD5
7b0212cc7f1deca467ab7efce0cecee4

SHA1
3edc1bcd7bf5e4426fa7428bfb7c38e4534d2bb0

SHA256
48f9c4a72e68be5c6365a06e6c4f2145f7ce131fc971a942adb239987d1ba17c

SHA512
10f487c7cda115c6c1d885ae758a521a9a0f8d70c4f742db7943ff2478b034b57d2914d4a678946577a1113a2262d94c67b3a2651179bec6a775e202d84cc184

Download Submit
C:\temp\fhckdae

Filesize
4B

MD5
0c86517563f3d486867edaba79a0af73

SHA1
189b274cd9aa7529ad70f44e74d7c3fce1dec884

SHA256
ea14a98f951cafb4b220ba4a19de64875912b525e6b734668b13963f8c2063fe

SHA512
5c6d0363f9e154e47ce7e9847d9811ad456bbe3a22d7d7bd0721644a6b1f307ad907337f90be6b7cc1e0dc2e480684ceffc375835e0dd4803b54ee2a81640625

Download Submit
\??\c:\temp\test\script.a3x

Filesize
582KB

MD5
b2c9d26b88f20b4308bb3bafb91dac11

SHA1
72d61a8c404e77312c3c86722563b4804190a124

SHA256
98d2e34e1fb92e8180621e0d0cfd6c8e4730cb85ba8f29b4153a85fcb036b4a3

SHA512
908c36b190d7d36b3a24d0ee0f7a5f91cf05bc289fd942c8d5fa253b41b49664b3657b3c53d180702d66366171354619b7d5c63301dccec1bdb3ab82e1c10feb

Download Submit
\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2656-4-0x0000000004560000-0x0000000006379000-memory.dmp

Filesize
30.1MB

Download
memory/2656-6-0x0000000002740000-0x00000000028B8000-memory.dmp

Filesize
1.5MB

Download
memory/2656-0-0x0000000002740000-0x0000000004554000-memory.dmp

Filesize
30.1MB

Download
memory/2776-30-0x0000000003060000-0x00000000033B5000-memory.dmp

Filesize
3.3MB

Download
memory/2776-18-0x0000000003060000-0x00000000033B5000-memory.dmp

Filesize
3.3MB

Download
memory/2776-17-0x0000000000C60000-0x0000000001060000-memory.dmp

Filesize
4.0MB

Download
memory/2856-33-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/2856-40-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/2856-41-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/2856-39-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/2856-42-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/2856-43-0x0000000001E20000-0x00000000025C2000-memory.dmp

Filesize
7.6MB

Download
memory/3016-44-0x0000000001DD0000-0x0000000002572000-memory.dmp

Filesize
7.6MB

Download