darkgate | c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc

Analysis

max time kernel
32s
max time network
33s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProtectedStore.exe
Size

6.7MB
MD5

654c90460217be81935b7bd2539e21d0
SHA1

2244e387c30bb852c2d709d9bf60f37c66239345
SHA256

c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc
SHA512

076e09b31b1dea5e8542d9c8de80f5a8da811f102bd13e2da766d503931fd811c4a38ffcec50e1a0c641392e571c73af6ea8d41e765f5266a95475e97fbc4223
SSDEEP

98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyC:FRbRYM612MVQbF8gOOCcBhmca3w0o

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kDWIiPpI
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral1/memory/2860-17-0x0000000002FC0000-0x0000000003315000-memory.dmp	family_darkgate_v6
behavioral1/memory/2860-29-0x0000000002FC0000-0x0000000003315000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-32-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-38-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-40-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-41-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-42-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2612-39-0x0000000001E40000-0x00000000025E2000-memory.dmp	family_darkgate_v6
behavioral1/memory/324-43-0x0000000002160000-0x0000000002902000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2860 created 1100	2860	Autoit3.exe	19
PID 2612 created 1284	2612	GoogleUpdateCore.exe	25

Executes dropped EXE 1 IoCs

pid	Process
2860	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	ProtectedStore.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\khahdaa = "\"C:\\ProgramData\\acagdkg\\Autoit3.exe\" C:\\ProgramData\\acagdkg\\agcebdk.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\khahdaa = "\"C:\\ProgramData\\acagdkg\\Autoit3.exe\" C:\\ProgramData\\acagdkg\\agcebdk.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2860	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtectedStore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2860	Autoit3.exe
2860	Autoit3.exe
2612	GoogleUpdateCore.exe
2612	GoogleUpdateCore.exe
324	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2860	2132	ProtectedStore.exe	30
PID 2132 wrote to memory of 2860	2132	ProtectedStore.exe	30
PID 2132 wrote to memory of 2860	2132	ProtectedStore.exe	30
PID 2132 wrote to memory of 2860	2132	ProtectedStore.exe	30
PID 2860 wrote to memory of 3008	2860	Autoit3.exe	31
PID 2860 wrote to memory of 3008	2860	Autoit3.exe	31
PID 2860 wrote to memory of 3008	2860	Autoit3.exe	31
PID 2860 wrote to memory of 3008	2860	Autoit3.exe	31
PID 3008 wrote to memory of 1968	3008	cmd.exe	33
PID 3008 wrote to memory of 1968	3008	cmd.exe	33
PID 3008 wrote to memory of 1968	3008	cmd.exe	33
PID 3008 wrote to memory of 1968	3008	cmd.exe	33
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2860 wrote to memory of 2612	2860	Autoit3.exe	35
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36
PID 2612 wrote to memory of 324	2612	GoogleUpdateCore.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1284
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:324

C:\Users\Admin\AppData\Local\Temp\ProtectedStore.exe
"C:\Users\Admin\AppData\Local\Temp\ProtectedStore.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2860
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\acagdkg\cffaebe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\acagdkg\ahhdccb

Filesize
1KB

MD5
757eed73ffc2e4b15642c1b6dd41ebd9

SHA1
8420e9262827b6ec9114c872c3cda9859b737163

SHA256
c44ff259c5c1d216ed5efd296e2e3aee1da7f2fba5dba2477fcb3332ded72fa5

SHA512
f7f014d39b5732db8c506b1a3bb9df2371f50c63ba9579e5e7a1b788852fdd3909aab0f52683c4df9e265a39585aee2540af6dbbd19e132d55459c16c2c2742a

Download Submit
C:\ProgramData\acagdkg\cffaebe

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\aAEcCab

Filesize
32B

MD5
a2c7cd5cc9c598f498cfc8b555e2d674

SHA1
d6054a05f3bf0b0d1239ca67508975c4674b3d59

SHA256
b9d1d723e031a2f270457e8e0ec03d1779ca9d7b7b2f841906c492384018a705

SHA512
b1c16fba251b3d0ed5098e83ec3d030cba502db5eed37661cfb6f483b87439d359eba4585637b43431b1aacd39ded86a5d23412a4ef0fc0145ab8e4f6cc8f6a8

Download Submit
C:\temp\bfegcab

Filesize
4B

MD5
f54544ac09c25c869f5db8dd6e078663

SHA1
2c8d80ed91a85fba6abd99e080659790fc844577

SHA256
633b794a09b26bb95685947b12cffac91d1e6ce985094f39df7950de3837c48a

SHA512
4b1a8ea0cb777b19237d3de7a4e3b81fc587bebfc5acf8eccd20c79cba9afe3492c475b8d9c4e7597ace5f97f54ff02a4554fe85129f298daa2d7e616efa1795

Download Submit
C:\temp\bfegcab

Filesize
4B

MD5
bdc9bcf2ef6be788670382388aed610a

SHA1
772ada8c7a9b462bda511a6c7ecd95624045027e

SHA256
844cc9b76d9d5f284b6cc938b1a86a0539c33d4004b267b74c402d42e5b199eb

SHA512
3a4791da1acd105ee7d5bb8ab51812c8855bd2fb8418856fb0a5f55647ea063ecf07542f8ed940f7b5e8cf291cba97d7634d25fb9c429797505e03b547a202cd

Download Submit
C:\temp\kdebhch

Filesize
4B

MD5
a5c11afe6ab5952d8884012b1e7e4205

SHA1
97557c7c9a39e04b9f0b92e40b2e5d700afd12be

SHA256
19a14322f65dfeac7c78dd5113773a9eb4112820a540ef4bfd7a9b3192d5759c

SHA512
1714ca83c71249af8950407b4a5d05c73cbc6bd3b43e29efdc77caa865fb26aa384bae3ae1c76d82c09e27864e9795f61215bd66ae96118a40ef4c385aa3c8e7

Download Submit
\??\c:\temp\test\script.a3x

Filesize
585KB

MD5
ecee8b8c60cca255f5e35abc3372ed03

SHA1
14b7ea450ac07450748bfd810437c89a1c4eae69

SHA256
c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

SHA512
e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

Download Submit
\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/324-43-0x0000000002160000-0x0000000002902000-memory.dmp

Filesize
7.6MB

Download
memory/2132-8-0x00000000025F0000-0x0000000004405000-memory.dmp

Filesize
30.1MB

Download
memory/2132-0-0x0000000004410000-0x0000000006229000-memory.dmp

Filesize
30.1MB

Download
memory/2612-40-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-32-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-38-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-41-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-42-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2612-39-0x0000000001E40000-0x00000000025E2000-memory.dmp

Filesize
7.6MB

Download
memory/2860-29-0x0000000002FC0000-0x0000000003315000-memory.dmp

Filesize
3.3MB

Download
memory/2860-17-0x0000000002FC0000-0x0000000003315000-memory.dmp

Filesize
3.3MB

Download
memory/2860-16-0x0000000000D10000-0x0000000001110000-memory.dmp

Filesize
4.0MB

Download