Resubmissions

16-12-2024 13:13

241216-qf4zvaskdj 10

16-12-2024 13:10

241216-qev1js1mbw 5

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 13:13

General

  • Target

    autoit3.exe

  • Size

    872KB

  • MD5

    c56b5f0201a3b3de53e561fe76912bfd

  • SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

  • SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

  • SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • SSDEEP

    12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

aspava-yachting.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kDWIiPpI

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

  • Darkgate family
  • Detect DarkGate stealer 11 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2740
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\autoit3.exe
      C:\Users\Admin\AppData\Local\Temp\autoit3.exe script.a3x
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Command and Scripting Interpreter: AutoIT
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2616
      • \??\c:\windows\SysWOW64\cmd.exe
        "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ckfcghe\aefeehh
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic ComputerSystem get domain
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\ckfcghe\aefeehh

      Filesize

      54B

      MD5

      c8bbad190eaaa9755c8dfb1573984d81

      SHA1

      17ad91294403223fde66f687450545a2bad72af5

      SHA256

      7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

      SHA512

      05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

    • C:\ProgramData\ckfcghe\edfhdhk

      Filesize

      1KB

      MD5

      8eb879862ce6354c48e8a938240b480d

      SHA1

      ecbcb244091b7b22dc2a5b42aa4ab290271b7a9c

      SHA256

      5309eb3bbf5ce359a2bdf6316a5c7049cccb893bbed28c60f4e5a7dd7d416e39

      SHA512

      f9f6715e463bf30f15a4430e6b00428c70fc8cdf67cebdac0e93edfa801e1d8ea589067f83cab2de6375224cdb7b60b68ba396ffe6bfb30f0353f50e1a429f4a

    • C:\ProgramData\ckfcghe\gbhdgbh.a3x

      Filesize

      585KB

      MD5

      ecee8b8c60cca255f5e35abc3372ed03

      SHA1

      14b7ea450ac07450748bfd810437c89a1c4eae69

      SHA256

      c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

      SHA512

      e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

    • C:\Users\Admin\AppData\Roaming\bEFdbfK

      Filesize

      32B

      MD5

      b189df0bc9da640933f815a383cc22c0

      SHA1

      241dbcec64bd8d89f1d3c5c6546c0c0a5ac15ce0

      SHA256

      00e48e30ab7db2987be2f6bf5d17c4f36401fa8026f88415e39a1a9f92c63c71

      SHA512

      a024e7beb6c23434a63de9af756af3797b7e7bc8e0572a8df5d5e634399feb20ca1b19b4f96cba4c89f9629eed188f649e55b6d46203114b299dc332b00298b8

    • C:\temp\hbfbhba

      Filesize

      4B

      MD5

      2ad479305c55fb59d91e7be8e6d39c81

      SHA1

      ad8dbf04202c8d87f6d783567098059330ccd976

      SHA256

      94861764858efa58b45810c4e8dc048843a324e7673c2e6f569ae4072d308481

      SHA512

      f970b80fcf861f54716664db6aa0583f83700acba6c598cba56428bc02deca8d9e0aed470f95eaf092b8ef0be75801fcf99096eb6ed1616950612a7497d59a0a

    • C:\temp\hbfbhba

      Filesize

      4B

      MD5

      669aa3418a02741fa2749627289b1bd0

      SHA1

      8ffbb00f2f066b2056552aa73c579d8e4410e467

      SHA256

      ad3e19a94e3e46e0d315bf305463b132f42f6528b878c6bd6de91bf00f1fec2e

      SHA512

      3979e67eb6291d356fe3b33a64f51ca47b5c395901204f9c724a2fc6c2d35cc1a96601943b9defeba64cd957f7e1a155164ae2390d3af758f98fb29f1c505676

    • C:\temp\heahchh

      Filesize

      4B

      MD5

      fe9972c0f150fcdbd81b347284af876e

      SHA1

      20ded953571d7a7cbf3106fbe175e4363a07b528

      SHA256

      5bde7d8a011553e14f3668fb4747766a406d3098f67a6d1f7719d172c9d36a39

      SHA512

      36bf17cc3587b4dd2388bb5cc90b6ac985149e06d90977327532452a3cf90217fc0419e747021c8424e5f539249e77be32c8e8473f4d90dd2f78ded549225ef5

    • memory/2616-15-0x00000000030D0000-0x0000000003425000-memory.dmp

      Filesize

      3.3MB

    • memory/2616-2-0x00000000011C0000-0x00000000015C0000-memory.dmp

      Filesize

      4.0MB

    • memory/2616-3-0x00000000030D0000-0x0000000003425000-memory.dmp

      Filesize

      3.3MB

    • memory/2664-29-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-18-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-14-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-25-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-26-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-27-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-24-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-28-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB

    • memory/2740-30-0x00000000022C0000-0x0000000002A62000-memory.dmp

      Filesize

      7.6MB