darkgate | 71d381c6bb60a155304bfc532f53caef17de842fbeee76c66def4a47f299fa92

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe
Size

2.2MB
MD5

3e9c3cc6b0f1e8e8724377eb82909ff8
SHA1

313b0effb543efa6264e57fb5b6a2a048c57708d
SHA256

71d381c6bb60a155304bfc532f53caef17de842fbeee76c66def4a47f299fa92
SHA512

c87291bbb6916ed3ae4084302405b7e2a83432260502f599563644c3485010ed6977e5544468b933afee25ba8b09427f69e660c0c9085f7aa7e0b4b0bfdebd0c
SSDEEP

49152:6EcPUz0VuTpPc4JrA5aR3UD9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr71:N0VQP1JrA5+l+92mbOH5zKg

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
sEhfQzVh
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/5104-9-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-22-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/5104-23-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-26-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-33-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-34-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-35-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-32-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-36-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6
behavioral2/memory/4764-37-0x0000000002A80000-0x0000000003222000-memory.dmp	family_darkgate_v6
behavioral2/memory/3056-38-0x0000000002640000-0x0000000002DE2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 5104 created 4924	5104	Autoit3.exe	75
PID 5104 created 2396	5104	Autoit3.exe	42
PID 3056 created 4052	3056	GoogleUpdateCore.exe	61
PID 3056 created 4924	3056	GoogleUpdateCore.exe	75
PID 3056 created 3820	3056	GoogleUpdateCore.exe	58

Executes dropped EXE 1 IoCs

pid	Process
5104	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdbakhg = "\"C:\\ProgramData\\badefgf\\Autoit3.exe\" C:\\ProgramData\\badefgf\\dbbkfaa.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdbakhg = "\"C:\\ProgramData\\badefgf\\Autoit3.exe\" C:\\ProgramData\\badefgf\\dbbkfaa.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
5104	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5104	Autoit3.exe
5104	Autoit3.exe
5104	Autoit3.exe
5104	Autoit3.exe
5104	Autoit3.exe
5104	Autoit3.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
3056	GoogleUpdateCore.exe
4764	GoogleUpdateCore.exe
4764	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4624	WMIC.exe
Token: SeSecurityPrivilege	4624	WMIC.exe
Token: SeTakeOwnershipPrivilege	4624	WMIC.exe
Token: SeLoadDriverPrivilege	4624	WMIC.exe
Token: SeSystemProfilePrivilege	4624	WMIC.exe
Token: SeSystemtimePrivilege	4624	WMIC.exe
Token: SeProfSingleProcessPrivilege	4624	WMIC.exe
Token: SeIncBasePriorityPrivilege	4624	WMIC.exe
Token: SeCreatePagefilePrivilege	4624	WMIC.exe
Token: SeBackupPrivilege	4624	WMIC.exe
Token: SeRestorePrivilege	4624	WMIC.exe
Token: SeShutdownPrivilege	4624	WMIC.exe
Token: SeDebugPrivilege	4624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4624	WMIC.exe
Token: SeRemoteShutdownPrivilege	4624	WMIC.exe
Token: SeUndockPrivilege	4624	WMIC.exe
Token: SeManageVolumePrivilege	4624	WMIC.exe
Token: 33	4624	WMIC.exe
Token: 34	4624	WMIC.exe
Token: 35	4624	WMIC.exe
Token: 36	4624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4624	WMIC.exe
Token: SeSecurityPrivilege	4624	WMIC.exe
Token: SeTakeOwnershipPrivilege	4624	WMIC.exe
Token: SeLoadDriverPrivilege	4624	WMIC.exe
Token: SeSystemProfilePrivilege	4624	WMIC.exe
Token: SeSystemtimePrivilege	4624	WMIC.exe
Token: SeProfSingleProcessPrivilege	4624	WMIC.exe
Token: SeIncBasePriorityPrivilege	4624	WMIC.exe
Token: SeCreatePagefilePrivilege	4624	WMIC.exe
Token: SeBackupPrivilege	4624	WMIC.exe
Token: SeRestorePrivilege	4624	WMIC.exe
Token: SeShutdownPrivilege	4624	WMIC.exe
Token: SeDebugPrivilege	4624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4624	WMIC.exe
Token: SeRemoteShutdownPrivilege	4624	WMIC.exe
Token: SeUndockPrivilege	4624	WMIC.exe
Token: SeManageVolumePrivilege	4624	WMIC.exe
Token: 33	4624	WMIC.exe
Token: 34	4624	WMIC.exe
Token: 35	4624	WMIC.exe
Token: 36	4624	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 5104	5112	2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe	86
PID 5112 wrote to memory of 5104	5112	2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe	86
PID 5112 wrote to memory of 5104	5112	2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe	86
PID 5104 wrote to memory of 2080	5104	Autoit3.exe	87
PID 5104 wrote to memory of 2080	5104	Autoit3.exe	87
PID 5104 wrote to memory of 2080	5104	Autoit3.exe	87
PID 2080 wrote to memory of 4624	2080	cmd.exe	91
PID 2080 wrote to memory of 4624	2080	cmd.exe	91
PID 2080 wrote to memory of 4624	2080	cmd.exe	91
PID 5104 wrote to memory of 3056	5104	Autoit3.exe	97
PID 5104 wrote to memory of 3056	5104	Autoit3.exe	97
PID 5104 wrote to memory of 3056	5104	Autoit3.exe	97
PID 5104 wrote to memory of 3056	5104	Autoit3.exe	97
PID 3056 wrote to memory of 4764	3056	GoogleUpdateCore.exe	100
PID 3056 wrote to memory of 4764	3056	GoogleUpdateCore.exe	100
PID 3056 wrote to memory of 4764	3056	GoogleUpdateCore.exe	100
PID 3056 wrote to memory of 4764	3056	GoogleUpdateCore.exe	100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4764

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_3e9c3cc6b0f1e8e8724377eb82909ff8_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5104
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\badefgf\eakfhhd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\badefgf\eakfhhd

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\badefgf\fkhfhfd

Filesize
1KB

MD5
fd828f49cdf26571179803bd976b41ca

SHA1
062429e4d129f737d37f94ca9a5f62fc35a431da

SHA256
af50e01ab94c8d3e82bf8c1206e6c237b507e88230098f1b47f852ee70af56e6

SHA512
fa9d6e00a8f5045044502592fb6b320a273454d3eb201154ec7ff8ce53bff65647ee29369f628220b92c265cb8d4631f1712686de6e9da346441bdf06037758e

Download Submit
C:\Users\Admin\AppData\Roaming\eehKdEK

Filesize
32B

MD5
ec64aadb3f9bfadca7cbeefa3ebfc274

SHA1
b5a46b0114c5709bf365c85d48803a27a246ef1f

SHA256
fd730bf5847c6b956b711cd428899be05174c15dbb60fea4f7c9f2e089730a6a

SHA512
2681f1ada69b37ee30581d043e0e6f5e46056b821f5c7c67d26fdf912b2b201663acf86289586b1787e6f0c084a0bb83e473daabd878a6d5e2b941ceffe8f02e

Download Submit
C:\temp\acbcbef

Filesize
4B

MD5
e819bf948fb013c5cedbfbf5348c7658

SHA1
25a3086af3be03d472f101db8647510303793018

SHA256
dfd2046356160be773f2085a3ea64776a31f2794d5678b55249dcac0639bb479

SHA512
8dab8868bf5ea5ddad0fe2a054441282a8af8d9621759fcb7c329e1688c2941edfe2eb187a7f24fdea2f995d3edf4a870d3f65e8be26f8941591208049273a5c

Download Submit
C:\temp\fdafhcc

Filesize
4B

MD5
5ff72db876ea09f7f58ad23803345959

SHA1
c2487355e448e0b89715d6ac0708ffb46efd46cb

SHA256
235ead7c06ca3031fb4480fa603ebc760e340db6dae2ae2147bf2e922f6ffc5c

SHA512
6a9efbb37cbe2e07efd48e259aa4c7f0d370aff76f1121d088a1f27e02d9b2b0d4c3536a2c7784128e96e376d7395bf30f0210e82dd75c241b66adacbca6021e

Download Submit
C:\temp\fdafhcc

Filesize
4B

MD5
43a6eba10562d2b333744286b9e6c447

SHA1
6243ece19098b623a2fbbcddb705a0d535c13210

SHA256
406bbaba2aa2b198f5f6e471925d6944a317d5dc074ff8e2673bd6bae29765fa

SHA512
21c2a24f4c87784aa00a311f86ade3aff1b3a0d6ff00db96c9024751e24efc175e889921bd49eb685bd40fe5e78e58810759664948ca8e59e2d3d9a3264a7d19

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
581KB

MD5
2bf27a4ef77513aa86659950f589a089

SHA1
e5238f7403f90cc1998f312504707c86585f9da5

SHA256
fce2d534623887f17922412cd8b9e4313a695db76573d69dda0f2693b3a0353f

SHA512
3c599dc4b5b88966f4657130324d122191500e1ecf4ac912a7c7d31c3d35b2fab9e951831484b63e4d0cfcaabfc7a305e4b91c448533fc1f2e2d4f6ad30fdb9d

Download Submit
memory/3056-36-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-38-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-22-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-32-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-26-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-35-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-33-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/3056-34-0x0000000002640000-0x0000000002DE2000-memory.dmp

Filesize
7.6MB

Download
memory/4764-37-0x0000000002A80000-0x0000000003222000-memory.dmp

Filesize
7.6MB

Download
memory/5104-9-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/5104-23-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/5104-8-0x0000000000FB0000-0x00000000013B0000-memory.dmp

Filesize
4.0MB

Download
memory/5112-1-0x0000000002700000-0x000000000287B000-memory.dmp

Filesize
1.5MB

Download
memory/5112-5-0x0000000002700000-0x000000000287B000-memory.dmp

Filesize
1.5MB

Download