darkgate | 42062dfe685a1d6b652b0bd4ef0393c165a5c6770d74507cd3defa0b22defb2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe
Size

2.2MB
MD5

e26553384a0f60f66d3e95f11fd4bdb0
SHA1

601809dc0aa1a2d195de9a5bd864b218a8e0c03e
SHA256

42062dfe685a1d6b652b0bd4ef0393c165a5c6770d74507cd3defa0b22defb2d
SHA512

653bcd2917a7165597ed0f4413babe55623af5d87405b516b9e49003a76152b212cf6fd66c83d2aa3b9e4ab3c8c090e8947c09785aeaa28c385aad0442b0bd34
SSDEEP

49152:6EcPUz0VuTpPc4JrA5aR3UD9Cc/rENUwwiw4jm59J92mbd4H57+dIxEZVKzr7n:N0VQP1JrA5+l+92mbOH5zKk

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
sEhfQzVh
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/2212-9-0x0000000003BD0000-0x0000000003F25000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-22-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/2212-23-0x0000000003BD0000-0x0000000003F25000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-26-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-33-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-34-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-35-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-32-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-36-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6
behavioral2/memory/3312-37-0x0000000002940000-0x00000000030E2000-memory.dmp	family_darkgate_v6
behavioral2/memory/4548-38-0x00000000023A0000-0x0000000002B42000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2212 created 4088	2212	Autoit3.exe	61
PID 2212 created 4116	2212	Autoit3.exe	75
PID 2212 created 4000	2212	Autoit3.exe	60
PID 4548 created 3848	4548	GoogleUpdateCore.exe	58

Executes dropped EXE 1 IoCs

pid	Process
2212	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eccfack = "\"C:\\ProgramData\\fddgcfe\\Autoit3.exe\" C:\\ProgramData\\fddgcfe\\fcdfghc.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eccfack = "\"C:\\ProgramData\\fddgcfe\\Autoit3.exe\" C:\\ProgramData\\fddgcfe\\fcdfghc.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2212	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
2212	Autoit3.exe
4548	GoogleUpdateCore.exe
4548	GoogleUpdateCore.exe
4548	GoogleUpdateCore.exe
4548	GoogleUpdateCore.exe
3312	GoogleUpdateCore.exe
3312	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe
Token: SeSecurityPrivilege	4272	WMIC.exe
Token: SeTakeOwnershipPrivilege	4272	WMIC.exe
Token: SeLoadDriverPrivilege	4272	WMIC.exe
Token: SeSystemProfilePrivilege	4272	WMIC.exe
Token: SeSystemtimePrivilege	4272	WMIC.exe
Token: SeProfSingleProcessPrivilege	4272	WMIC.exe
Token: SeIncBasePriorityPrivilege	4272	WMIC.exe
Token: SeCreatePagefilePrivilege	4272	WMIC.exe
Token: SeBackupPrivilege	4272	WMIC.exe
Token: SeRestorePrivilege	4272	WMIC.exe
Token: SeShutdownPrivilege	4272	WMIC.exe
Token: SeDebugPrivilege	4272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4272	WMIC.exe
Token: SeRemoteShutdownPrivilege	4272	WMIC.exe
Token: SeUndockPrivilege	4272	WMIC.exe
Token: SeManageVolumePrivilege	4272	WMIC.exe
Token: 33	4272	WMIC.exe
Token: 34	4272	WMIC.exe
Token: 35	4272	WMIC.exe
Token: 36	4272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe
Token: SeSecurityPrivilege	4272	WMIC.exe
Token: SeTakeOwnershipPrivilege	4272	WMIC.exe
Token: SeLoadDriverPrivilege	4272	WMIC.exe
Token: SeSystemProfilePrivilege	4272	WMIC.exe
Token: SeSystemtimePrivilege	4272	WMIC.exe
Token: SeProfSingleProcessPrivilege	4272	WMIC.exe
Token: SeIncBasePriorityPrivilege	4272	WMIC.exe
Token: SeCreatePagefilePrivilege	4272	WMIC.exe
Token: SeBackupPrivilege	4272	WMIC.exe
Token: SeRestorePrivilege	4272	WMIC.exe
Token: SeShutdownPrivilege	4272	WMIC.exe
Token: SeDebugPrivilege	4272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4272	WMIC.exe
Token: SeRemoteShutdownPrivilege	4272	WMIC.exe
Token: SeUndockPrivilege	4272	WMIC.exe
Token: SeManageVolumePrivilege	4272	WMIC.exe
Token: 33	4272	WMIC.exe
Token: 34	4272	WMIC.exe
Token: 35	4272	WMIC.exe
Token: 36	4272	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2212	2160	2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe	88
PID 2160 wrote to memory of 2212	2160	2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe	88
PID 2160 wrote to memory of 2212	2160	2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe	88
PID 2212 wrote to memory of 3300	2212	Autoit3.exe	89
PID 2212 wrote to memory of 3300	2212	Autoit3.exe	89
PID 2212 wrote to memory of 3300	2212	Autoit3.exe	89
PID 3300 wrote to memory of 4272	3300	cmd.exe	91
PID 3300 wrote to memory of 4272	3300	cmd.exe	91
PID 3300 wrote to memory of 4272	3300	cmd.exe	91
PID 2212 wrote to memory of 4548	2212	Autoit3.exe	94
PID 2212 wrote to memory of 4548	2212	Autoit3.exe	94
PID 2212 wrote to memory of 4548	2212	Autoit3.exe	94
PID 2212 wrote to memory of 4548	2212	Autoit3.exe	94
PID 4548 wrote to memory of 3312	4548	GoogleUpdateCore.exe	99
PID 4548 wrote to memory of 3312	4548	GoogleUpdateCore.exe	99
PID 4548 wrote to memory of 3312	4548	GoogleUpdateCore.exe	99
PID 4548 wrote to memory of 3312	4548	GoogleUpdateCore.exe	99

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4000
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4548

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_e26553384a0f60f66d3e95f11fd4bdb0_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fddgcfe\gdgcdae
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fddgcfe\eakkaac

Filesize
1KB

MD5
e0ceede5bd56fffc2c95d4116f32b511

SHA1
f60f0e19a63dc00e831d08e41433673386e0ea0b

SHA256
7882d65dbc50ce4607990df4a378aaf7b3b2d47881b7c85e62d7f7d33f1e7f80

SHA512
d7ecd01cdd180c822b281f6ae6b5f1e4c125956ea8137d2391a4e2c3ca7c9919fa535b7ae2878359cdff629144b34065df340162942e5ec32b3a4ae1dba3fbda

Download Submit
C:\ProgramData\fddgcfe\gdgcdae

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\GbcfHbD

Filesize
32B

MD5
80c34651988d6cdb5d66e8002647c81f

SHA1
11b3c9a9a130401d8ba1008a8d11a5a6be32263b

SHA256
887b9651e4080a0b981fdde2c3b121b9601c98ec3a0c7016437b57d52e0ca02a

SHA512
59f1b0d76a14c622da73106527d8a62facaded4dfb3ffe5c85fe3995a8799a32f139105b31f19ee1f286e4f3c845eba233bfcf19aa8c26e0234b21149c91fc51

Download Submit
C:\temp\ahaagfg

Filesize
4B

MD5
0aac6b9fc8e69b8631f4b98ff650a65f

SHA1
e8d9cafa0f7645c93454b9e7abc4b4c5dc32f02b

SHA256
670b676f81cf4d0c934ba67e2f27cff9fc9b0d59a1d06fe3b504e403a33919e6

SHA512
069581e65d126e2729b3348c7358f0105449079cc8b39ad85aecc2b61066a86553e4d40ba77b8d0e8285bd02dfa8cd64ba1ec2c36ddca3982d6981dcbdeaa16c

Download Submit
C:\temp\fhabffe

Filesize
4B

MD5
5fee45286341e9e4cfff6011743f082c

SHA1
4c78d356053e48c9d1eaa69847ae9f088db5cf28

SHA256
4dcb69d1e56a5ce07159ef9372aa1d56643212712ccdcbd1ee968cd53b3f71d0

SHA512
ccad271a3bc17594d6e65c78f6afacb598b750bdcb74d362e67d10f4b6d26f09a451af61832bfd3c559f8ffb9a11420b1e8f587e1b45233de45e976ae9f05808

Download Submit
C:\temp\fhabffe

Filesize
4B

MD5
6c34ed9e567b25956fc59a6913556215

SHA1
2f8b650e5035013b5ad582f70ca17202ce94e9ff

SHA256
d00eade9e3dda524a724c951b23d449bf8a62d7223eec84a2a80d7b4dc527415

SHA512
b08be70bf91c80df976e7e07c155a28cd3a19040df01549ada92f981abf2b56faf80fa53bad36d48d7a5e120322b44b8626e159f896076124ab6115c70bba174

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
581KB

MD5
2bf27a4ef77513aa86659950f589a089

SHA1
e5238f7403f90cc1998f312504707c86585f9da5

SHA256
fce2d534623887f17922412cd8b9e4313a695db76573d69dda0f2693b3a0353f

SHA512
3c599dc4b5b88966f4657130324d122191500e1ecf4ac912a7c7d31c3d35b2fab9e951831484b63e4d0cfcaabfc7a305e4b91c448533fc1f2e2d4f6ad30fdb9d

Download Submit
memory/2160-1-0x0000000002780000-0x00000000028FB000-memory.dmp

Filesize
1.5MB

Download
memory/2160-5-0x0000000002780000-0x00000000028FB000-memory.dmp

Filesize
1.5MB

Download
memory/2212-23-0x0000000003BD0000-0x0000000003F25000-memory.dmp

Filesize
3.3MB

Download
memory/2212-9-0x0000000003BD0000-0x0000000003F25000-memory.dmp

Filesize
3.3MB

Download
memory/2212-8-0x0000000000F10000-0x0000000001310000-memory.dmp

Filesize
4.0MB

Download
memory/3312-37-0x0000000002940000-0x00000000030E2000-memory.dmp

Filesize
7.6MB

Download
memory/4548-26-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-22-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-33-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-34-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-35-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-32-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-36-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download
memory/4548-38-0x00000000023A0000-0x0000000002B42000-memory.dmp

Filesize
7.6MB

Download