Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
autoit3.exe
Resource
win7-20240903-en
General
-
Target
autoit3.exe
-
Size
872KB
-
MD5
c56b5f0201a3b3de53e561fe76912bfd
-
SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417
-
SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
-
SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
SSDEEP
12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
Malware Config
Extracted
darkgate
drk3
aspava-yachting.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
kDWIiPpI
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
drk3
Signatures
-
Darkgate family
-
Detect DarkGate stealer 13 IoCs
resource yara_rule behavioral2/memory/3188-3-0x0000000004600000-0x0000000004955000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-14-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/3188-15-0x0000000004600000-0x0000000004955000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-18-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2156-24-0x00000000027D0000-0x0000000002F72000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-26-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-27-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-28-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-25-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-29-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2156-30-0x00000000027D0000-0x0000000002F72000-memory.dmp family_darkgate_v6 behavioral2/memory/2992-31-0x0000000003090000-0x0000000003832000-memory.dmp family_darkgate_v6 behavioral2/memory/2156-32-0x00000000027D0000-0x0000000002F72000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 3188 created 2864 3188 autoit3.exe 74 PID 3188 created 3992 3188 autoit3.exe 61 PID 3188 created 2884 3188 autoit3.exe 49 PID 2992 created 3832 2992 GoogleUpdateCore.exe 59 PID 2992 created 2884 2992 GoogleUpdateCore.exe 49 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhbfacc = "\"C:\\ProgramData\\bkfdehb\\Autoit3.exe\" C:\\ProgramData\\bkfdehb\\kafhcef.a3x" GoogleUpdateCore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhbfacc = "\"C:\\ProgramData\\bkfdehb\\Autoit3.exe\" C:\\ProgramData\\bkfdehb\\kafhcef.a3x" GoogleUpdateCore.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 3188 autoit3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language autoit3.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateCore.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateCore.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 3188 autoit3.exe 2992 GoogleUpdateCore.exe 2992 GoogleUpdateCore.exe 2992 GoogleUpdateCore.exe 2992 GoogleUpdateCore.exe 2992 GoogleUpdateCore.exe 2992 GoogleUpdateCore.exe 2156 GoogleUpdateCore.exe 2156 GoogleUpdateCore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2992 GoogleUpdateCore.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5112 WMIC.exe Token: SeSecurityPrivilege 5112 WMIC.exe Token: SeTakeOwnershipPrivilege 5112 WMIC.exe Token: SeLoadDriverPrivilege 5112 WMIC.exe Token: SeSystemProfilePrivilege 5112 WMIC.exe Token: SeSystemtimePrivilege 5112 WMIC.exe Token: SeProfSingleProcessPrivilege 5112 WMIC.exe Token: SeIncBasePriorityPrivilege 5112 WMIC.exe Token: SeCreatePagefilePrivilege 5112 WMIC.exe Token: SeBackupPrivilege 5112 WMIC.exe Token: SeRestorePrivilege 5112 WMIC.exe Token: SeShutdownPrivilege 5112 WMIC.exe Token: SeDebugPrivilege 5112 WMIC.exe Token: SeSystemEnvironmentPrivilege 5112 WMIC.exe Token: SeRemoteShutdownPrivilege 5112 WMIC.exe Token: SeUndockPrivilege 5112 WMIC.exe Token: SeManageVolumePrivilege 5112 WMIC.exe Token: 33 5112 WMIC.exe Token: 34 5112 WMIC.exe Token: 35 5112 WMIC.exe Token: 36 5112 WMIC.exe Token: SeIncreaseQuotaPrivilege 5112 WMIC.exe Token: SeSecurityPrivilege 5112 WMIC.exe Token: SeTakeOwnershipPrivilege 5112 WMIC.exe Token: SeLoadDriverPrivilege 5112 WMIC.exe Token: SeSystemProfilePrivilege 5112 WMIC.exe Token: SeSystemtimePrivilege 5112 WMIC.exe Token: SeProfSingleProcessPrivilege 5112 WMIC.exe Token: SeIncBasePriorityPrivilege 5112 WMIC.exe Token: SeCreatePagefilePrivilege 5112 WMIC.exe Token: SeBackupPrivilege 5112 WMIC.exe Token: SeRestorePrivilege 5112 WMIC.exe Token: SeShutdownPrivilege 5112 WMIC.exe Token: SeDebugPrivilege 5112 WMIC.exe Token: SeSystemEnvironmentPrivilege 5112 WMIC.exe Token: SeRemoteShutdownPrivilege 5112 WMIC.exe Token: SeUndockPrivilege 5112 WMIC.exe Token: SeManageVolumePrivilege 5112 WMIC.exe Token: 33 5112 WMIC.exe Token: 34 5112 WMIC.exe Token: 35 5112 WMIC.exe Token: 36 5112 WMIC.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3188 wrote to memory of 4432 3188 autoit3.exe 83 PID 3188 wrote to memory of 4432 3188 autoit3.exe 83 PID 3188 wrote to memory of 4432 3188 autoit3.exe 83 PID 4432 wrote to memory of 5112 4432 cmd.exe 85 PID 4432 wrote to memory of 5112 4432 cmd.exe 85 PID 4432 wrote to memory of 5112 4432 cmd.exe 85 PID 3188 wrote to memory of 2992 3188 autoit3.exe 88 PID 3188 wrote to memory of 2992 3188 autoit3.exe 88 PID 3188 wrote to memory of 2992 3188 autoit3.exe 88 PID 3188 wrote to memory of 2992 3188 autoit3.exe 88 PID 2992 wrote to memory of 2156 2992 GoogleUpdateCore.exe 89 PID 2992 wrote to memory of 2156 2992 GoogleUpdateCore.exe 89 PID 2992 wrote to memory of 2156 2992 GoogleUpdateCore.exe 89 PID 2992 wrote to memory of 2156 2992 GoogleUpdateCore.exe 89
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2884
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2992
-
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\autoit3.exeC:\Users\Admin\AppData\Local\Temp\autoit3.exe script.a3x1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bkfdehb\hhegbef2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
585KB
MD5ecee8b8c60cca255f5e35abc3372ed03
SHA114b7ea450ac07450748bfd810437c89a1c4eae69
SHA256c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded
SHA512e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a
-
Filesize
1KB
MD5214715b9b7f9619188b48a6383bba068
SHA1599fed860598e4cbb033dec9be2d9d0d31b4b86b
SHA2565f2792f6805016e4547bbc3714b130bc2e31a592dc85a4fb1c2dd87ca87e50de
SHA512cd46b80f55532b7c979ea16a768ee0e50086ffdeb397fb4d68b3cfa9a09197f8f018cbf7aa260815e93db663405842c13041b47fc0c413980b2a8cd539295a64
-
Filesize
32B
MD5cda7c39928e6108704a358037029b418
SHA1cad80f60d87d87a6d0c7d53c33b72a912a883788
SHA256e4f487be67762d1648b902b785dc360acb5acbae3d449db6a1ca404b23d8fd8d
SHA512656203ba58525489355b7b9e423dbe17d4ba56066ebec34366cde6307f6cf546dc83728aff1135d6b4ce30069c30b66749ec8d2e108a7b431bbfb38546a51c7b
-
Filesize
4B
MD57ce3283ff586408583c38a34ea65b09c
SHA1d8a7ad4b9da77acf9c43d7b0c761d7699a06f2d9
SHA2567adf5e195ef27707ba81c48cc0e9a02a78466804243749bb0a3f9a4522cd75f7
SHA5123354de093fbad88d77f6d292dc6af5d35605d38725d052183fff91a7efdfe06ce39b5f58ad052ddbdab6480de497cfcee32d1d3d2d0fbdaaa050c28a9ef0bb98
-
Filesize
4B
MD5a65e774a68915ec23f66181bf02fc18f
SHA14cf22165b31b740633e0be31744d176b0e9d4ff5
SHA25658db1480fd8f7c7772bbb5c8d0a852e458a6b0d71b5665e24bf1727d939366a9
SHA51239692ce6a297e7b07f6d8a42dfc29047426788ee0b7cfe212c05fc0dfbf3b241306f9ea1e200382ac85f711d52a66b0b589b29e6a98cebec0d8ee7b7e7185a4f
-
Filesize
4B
MD575368a2b8722e4dbb462c5100e2c9bc1
SHA1e0e6f36422b1f6fb7b13e8fcbc1a036f2df5cc61
SHA2567011dd1588fc589b88a25f582c5f8f573f6ac1828b5eeb7db0093e27f09a9fd9
SHA5127b7cee5de8417cce11012bfd36eb1193be19f55dac52447668823b4910d4e6918472a5483297c23a1767eaee612dd6819ce79e1fcd7c43acb1d7ede44a10e998