darkgate | 476cc1cc38157e647526ed2c8b295abe68e316c05ad33796b4df0a0b20f9a11d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe
Size

4.5MB
MD5

89431de4fd8ed4f4cc9ed7e55057580f
SHA1

a00e9a3a4f7ded604b8b739db6c8de22ae5a9c58
SHA256

476cc1cc38157e647526ed2c8b295abe68e316c05ad33796b4df0a0b20f9a11d
SHA512

cebca184d9ce7f2e9e5dd10c6d0137ecc763d6a69d6d21b297286de020e93099b3d7be6c215cd2b3289c11aa4de0cd3cea860c4a37c3f9c0bde1bd90f5dc41e4
SSDEEP

98304:bFO4oV0MYjRj6N/MftXyfSoQdATd/2kUs8SN43:bFOjVLYjR2NiXwSoOAB/2Rs8SN4

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
XqDIpWGY
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/744-16-0x00000000044B0000-0x0000000004805000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-28-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/744-29-0x00000000044B0000-0x0000000004805000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-32-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-39-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-40-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-41-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-42-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-38-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3312-43-0x0000000003000000-0x00000000037A2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2360-44-0x0000000002E10000-0x00000000035B2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 744 created 3812	744	Autoit3.exe	59
PID 744 created 2556	744	Autoit3.exe	74
PID 744 created 2556	744	Autoit3.exe	74
PID 744 created 3812	744	Autoit3.exe	59
PID 744 created 3956	744	Autoit3.exe	61
PID 744 created 2556	744	Autoit3.exe	74
PID 744 created 3812	744	Autoit3.exe	59
PID 744 created 2868	744	Autoit3.exe	49
PID 2360 created 3720	2360	GoogleUpdateCore.exe	58

Executes dropped EXE 1 IoCs

pid	Process
744	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hhfaech = "\"C:\\ProgramData\\cdbcdfc\\Autoit3.exe\" C:\\ProgramData\\cdbcdfc\\fdeaebh.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hhfaech = "\"C:\\ProgramData\\cdbcdfc\\Autoit3.exe\" C:\\ProgramData\\cdbcdfc\\fdeaebh.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
744	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
744	Autoit3.exe
2360	GoogleUpdateCore.exe
2360	GoogleUpdateCore.exe
2360	GoogleUpdateCore.exe
2360	GoogleUpdateCore.exe
3312	GoogleUpdateCore.exe
3312	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeSecurityPrivilege	2708	WMIC.exe
Token: SeTakeOwnershipPrivilege	2708	WMIC.exe
Token: SeLoadDriverPrivilege	2708	WMIC.exe
Token: SeSystemProfilePrivilege	2708	WMIC.exe
Token: SeSystemtimePrivilege	2708	WMIC.exe
Token: SeProfSingleProcessPrivilege	2708	WMIC.exe
Token: SeIncBasePriorityPrivilege	2708	WMIC.exe
Token: SeCreatePagefilePrivilege	2708	WMIC.exe
Token: SeBackupPrivilege	2708	WMIC.exe
Token: SeRestorePrivilege	2708	WMIC.exe
Token: SeShutdownPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2708	WMIC.exe
Token: SeRemoteShutdownPrivilege	2708	WMIC.exe
Token: SeUndockPrivilege	2708	WMIC.exe
Token: SeManageVolumePrivilege	2708	WMIC.exe
Token: 33	2708	WMIC.exe
Token: 34	2708	WMIC.exe
Token: 35	2708	WMIC.exe
Token: 36	2708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2708	WMIC.exe
Token: SeSecurityPrivilege	2708	WMIC.exe
Token: SeTakeOwnershipPrivilege	2708	WMIC.exe
Token: SeLoadDriverPrivilege	2708	WMIC.exe
Token: SeSystemProfilePrivilege	2708	WMIC.exe
Token: SeSystemtimePrivilege	2708	WMIC.exe
Token: SeProfSingleProcessPrivilege	2708	WMIC.exe
Token: SeIncBasePriorityPrivilege	2708	WMIC.exe
Token: SeCreatePagefilePrivilege	2708	WMIC.exe
Token: SeBackupPrivilege	2708	WMIC.exe
Token: SeRestorePrivilege	2708	WMIC.exe
Token: SeShutdownPrivilege	2708	WMIC.exe
Token: SeDebugPrivilege	2708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2708	WMIC.exe
Token: SeRemoteShutdownPrivilege	2708	WMIC.exe
Token: SeUndockPrivilege	2708	WMIC.exe
Token: SeManageVolumePrivilege	2708	WMIC.exe
Token: 33	2708	WMIC.exe
Token: 34	2708	WMIC.exe
Token: 35	2708	WMIC.exe
Token: 36	2708	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 744	1980	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	83
PID 1980 wrote to memory of 744	1980	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	83
PID 1980 wrote to memory of 744	1980	2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe	83
PID 744 wrote to memory of 2724	744	Autoit3.exe	84
PID 744 wrote to memory of 2724	744	Autoit3.exe	84
PID 744 wrote to memory of 2724	744	Autoit3.exe	84
PID 2724 wrote to memory of 2708	2724	cmd.exe	86
PID 2724 wrote to memory of 2708	2724	cmd.exe	86
PID 2724 wrote to memory of 2708	2724	cmd.exe	86
PID 744 wrote to memory of 2360	744	Autoit3.exe	88
PID 744 wrote to memory of 2360	744	Autoit3.exe	88
PID 744 wrote to memory of 2360	744	Autoit3.exe	88
PID 744 wrote to memory of 2360	744	Autoit3.exe	88
PID 2360 wrote to memory of 3312	2360	GoogleUpdateCore.exe	94
PID 2360 wrote to memory of 3312	2360	GoogleUpdateCore.exe	94
PID 2360 wrote to memory of 3312	2360	GoogleUpdateCore.exe	94
PID 2360 wrote to memory of 3312	2360	GoogleUpdateCore.exe	94

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2868
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3956

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_89431de4fd8ed4f4cc9ed7e55057580f_luca-stealer_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:744
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\cdbcdfc\daacbde
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cdbcdfc\daacbde

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\cdbcdfc\dcgaaek

Filesize
1KB

MD5
08f534cdee7209a590a0cb0057795850

SHA1
e9b2ea5337510223546b57e75ea813a38f993d12

SHA256
17199f3a7b93098b79c5e335f996ef16ced7ef65a03de5cc5dc1e0afeb9692e3

SHA512
0dc7a1b1c00ccd3c07f7698853ffab3a4ce731bec76e9e38d1c5078a3a255fe126235172ddc155cae2d62d656dbea7eb3fc56b897d5bdb19a8d41c2fb90f99e5

Download Submit
C:\Users\Admin\AppData\Roaming\FHKeace

Filesize
32B

MD5
8004ad0161b042d09b6e7dc37b316147

SHA1
9d8191afab0d04b041e744ad605dd54e85ddf95d

SHA256
71928da23b3a5f71ea96bf8f08ef0b0bb5f62845edba6b7ef587bb1bf2514c5e

SHA512
f747ec6de30b41ce17a503b8e9bac999159c29ecea2b597a3eb6445aece0f703783f360b9cb7d0c4f1389a2450102e10f51b78fdb6abaaaa0a60a7717d70fd22

Download Submit
C:\temp\aafbdba

Filesize
4B

MD5
09285e9e6cc9def027670c541fd89b8d

SHA1
1f270a7266c2585cc176709708686aa2b51838b6

SHA256
1ad2106c34d58c85bdf00412834402b8fe38b30cd18dfca5b76365ea982dd9ab

SHA512
fe28839aa04f0949e54e8ed895aaf21153d4bfb25639ca90a192d88a3beb1a89b05fad835cb7bb69f1f418fcc8b21fdb99307e9752ea54fbd7306999679970ee

Download Submit
C:\temp\ahaebge

Filesize
4B

MD5
c9d3d92184a8eb3d545f96ac0b261502

SHA1
6079a90f76dd0b7e949aa69bf118b71ad1bb6406

SHA256
3a95640c91392fa4bd6ff23ceee79cdd3e70c39e3ff179e33541751d870a508e

SHA512
66e81f82cf95f7e9ddce710c7f70b2896ba99a33fac805c4aa451f9ea34bf36d3b966ee2cd333a8ad128ecbd3c8f628d8d1e74167f9eb6851d7b98afe87ada94

Download Submit
C:\temp\ahaebge

Filesize
4B

MD5
6e60935365ceb62566a82a53a8cc7751

SHA1
b9b737bf4e6b646c433bb56d694176a56b0c17ba

SHA256
42f835a5db16847cde1983869c223cbd94d46d6da13fd30e1b3c50a29ac3a2e0

SHA512
8fa4cfdbb6e278d62fc0edc589240088041e2fc56883c5e259abe8e8f0a55122fd98460600a4648cca1afb67063ca5774c1b40ebdb756187f58a218f8b45cd0a

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
582KB

MD5
b2c9d26b88f20b4308bb3bafb91dac11

SHA1
72d61a8c404e77312c3c86722563b4804190a124

SHA256
98d2e34e1fb92e8180621e0d0cfd6c8e4730cb85ba8f29b4153a85fcb036b4a3

SHA512
908c36b190d7d36b3a24d0ee0f7a5f91cf05bc289fd942c8d5fa253b41b49664b3657b3c53d180702d66366171354619b7d5c63301dccec1bdb3ab82e1c10feb

Download Submit
memory/744-29-0x00000000044B0000-0x0000000004805000-memory.dmp

Filesize
3.3MB

Download
memory/744-16-0x00000000044B0000-0x0000000004805000-memory.dmp

Filesize
3.3MB

Download
memory/744-14-0x00000000017D0000-0x0000000001BD0000-memory.dmp

Filesize
4.0MB

Download
memory/1980-1-0x00000000025FF000-0x0000000002777000-memory.dmp

Filesize
1.5MB

Download
memory/1980-3-0x0000000004420000-0x0000000006239000-memory.dmp

Filesize
30.1MB

Download
memory/2360-39-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-32-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-28-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-40-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-41-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-42-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-38-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/2360-44-0x0000000002E10000-0x00000000035B2000-memory.dmp

Filesize
7.6MB

Download
memory/3312-43-0x0000000003000000-0x00000000037A2000-memory.dmp

Filesize
7.6MB

Download