darkgate | c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProtectedStore.exe
Size

6.7MB
MD5

654c90460217be81935b7bd2539e21d0
SHA1

2244e387c30bb852c2d709d9bf60f37c66239345
SHA256

c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc
SHA512

076e09b31b1dea5e8542d9c8de80f5a8da811f102bd13e2da766d503931fd811c4a38ffcec50e1a0c641392e571c73af6ea8d41e765f5266a95475e97fbc4223
SSDEEP

98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyC:FRbRYM612MVQbF8gOOCcBhmca3w0o

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kDWIiPpI
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral1/memory/2752-17-0x0000000002F50000-0x00000000032A5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2752-29-0x0000000002F50000-0x00000000032A5000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-32-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-38-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-40-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-41-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-39-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/2548-42-0x0000000001DA0000-0x0000000002542000-memory.dmp	family_darkgate_v6
behavioral1/memory/3028-43-0x0000000001F10000-0x00000000026B2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2752 created 1568	2752	Autoit3.exe	23
PID 2548 created 1112	2548	GoogleUpdateCore.exe	19

Executes dropped EXE 1 IoCs

pid	Process
2752	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2424	ProtectedStore.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\bkebfhc = "\"C:\\ProgramData\\dhbeade\\Autoit3.exe\" C:\\ProgramData\\dhbeade\\abgffeb.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\bkebfhc = "\"C:\\ProgramData\\dhbeade\\Autoit3.exe\" C:\\ProgramData\\dhbeade\\abgffeb.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2752	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProtectedStore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2752	Autoit3.exe
2752	Autoit3.exe
2548	GoogleUpdateCore.exe
2548	GoogleUpdateCore.exe
3028	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2752	2424	ProtectedStore.exe	30
PID 2424 wrote to memory of 2752	2424	ProtectedStore.exe	30
PID 2424 wrote to memory of 2752	2424	ProtectedStore.exe	30
PID 2424 wrote to memory of 2752	2424	ProtectedStore.exe	30
PID 2752 wrote to memory of 2660	2752	Autoit3.exe	31
PID 2752 wrote to memory of 2660	2752	Autoit3.exe	31
PID 2752 wrote to memory of 2660	2752	Autoit3.exe	31
PID 2752 wrote to memory of 2660	2752	Autoit3.exe	31
PID 2660 wrote to memory of 2768	2660	cmd.exe	33
PID 2660 wrote to memory of 2768	2660	cmd.exe	33
PID 2660 wrote to memory of 2768	2660	cmd.exe	33
PID 2660 wrote to memory of 2768	2660	cmd.exe	33
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2752 wrote to memory of 2548	2752	Autoit3.exe	35
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36
PID 2548 wrote to memory of 3028	2548	GoogleUpdateCore.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1568
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2548

C:\Users\Admin\AppData\Local\Temp\ProtectedStore.exe
"C:\Users\Admin\AppData\Local\Temp\ProtectedStore.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2752
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dhbeade\bfbbdef
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dhbeade\bfbbdef

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\dhbeade\hccacdg

Filesize
1KB

MD5
a42b7e7da95fc2b3a139a51b61a71ce1

SHA1
3d45e1f4cbecef2b979639d9e569f77b5d3972c0

SHA256
9843f5a4e1119ec4532debe7d3e684d9cd8697dbb0b007726b9a374a29a768e6

SHA512
10e01449555437a9468e677ffca58c92bd2ba8b95e7ac42008c62e06ccd751c16b9363960a7fecfe8c5b09035a52bdae87107d8946d840ead56d01f7de96d943

Download Submit
C:\Users\Admin\AppData\Roaming\AhceAFA

Filesize
32B

MD5
10d562c5951525b37cb2efbebb430206

SHA1
20710ca49f20420ab983e6997dd0e6eab098ab65

SHA256
79be24549c334a82183d76d03795d08846a9badf58515ed82bd786849cb0ab66

SHA512
b951b08b47550bf726a8d8647134bcf7592161b0bc85da802d2f175472b5244dac72b92c0228202debaba08ffc0a937623dece6a8172537fb699578aaf4cde58

Download Submit
C:\temp\cbkhbad

Filesize
4B

MD5
635d96086d3e75f19f7b1ada325a25e2

SHA1
f0db7f913da82c9361a310c27b5ab3a7643fd19d

SHA256
57869d977b138d6f2b6bc2643b8f6aa5dd3ccd7671cdab8f80a01b6bd07f2dff

SHA512
2d232ef2706c0d56cd4ae3422e2cf7fab34c35fd98b7a425507aa41c3605884c495d3aee88ad831d0d423a4f0df74f5ba86f92464866e5cbc27c58de1d8df490

Download Submit
C:\temp\cbkhbad

Filesize
4B

MD5
1d154775c06cec4b4545c0469f65fbc1

SHA1
c4d4d121ab296713487948ac26e52bbf93118cee

SHA256
a8a7bcff2928b86f905790be4b3003f3658542c638a9113d87166d82797554f9

SHA512
c3c8cb0dc1ab32156fe76d7a19a1bb249c79f5e034f574452f64a050e8ff15abb9cfc2d37e114cbb1fed328d25d86fcc6f4b35fa218bd2e36ae9248bb0d5f6f8

Download Submit
C:\temp\dddaged

Filesize
4B

MD5
8dee3c17eee00d2c6a116c0378f27e76

SHA1
da710c75dbd2713bea2cda6d1eed8092068edb47

SHA256
e5b9eeb2c2160b8d3f4474189e0407cd74caa5049be628c4875e58c9f8f8c810

SHA512
c8d884e15337688c83b943838be74d294ce6edae0f4c4eaeb030469abcbb0eec803fddfea4a30cb664a7e8c100c38694f6ee116b0cdcb924151c2940ee3a81ac

Download Submit
\??\c:\temp\test\script.a3x

Filesize
585KB

MD5
ecee8b8c60cca255f5e35abc3372ed03

SHA1
14b7ea450ac07450748bfd810437c89a1c4eae69

SHA256
c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

SHA512
e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

Download Submit
\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2424-8-0x00000000025D0000-0x00000000043E5000-memory.dmp

Filesize
30.1MB

Download
memory/2424-0-0x00000000043F0000-0x0000000006209000-memory.dmp

Filesize
30.1MB

Download
memory/2548-40-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2548-32-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2548-38-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2548-41-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2548-39-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2548-42-0x0000000001DA0000-0x0000000002542000-memory.dmp

Filesize
7.6MB

Download
memory/2752-29-0x0000000002F50000-0x00000000032A5000-memory.dmp

Filesize
3.3MB

Download
memory/2752-17-0x0000000002F50000-0x00000000032A5000-memory.dmp

Filesize
3.3MB

Download
memory/2752-16-0x0000000000920000-0x0000000000D20000-memory.dmp

Filesize
4.0MB

Download
memory/3028-43-0x0000000001F10000-0x00000000026B2000-memory.dmp

Filesize
7.6MB

Download