Overview

overview

10

Static

static

3

c4230a6d0a...cN.exe

windows7-x64

10

c4230a6d0a...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe

  • Size

    6.7MB

  • MD5

    654c90460217be81935b7bd2539e21d0

  • SHA1

    2244e387c30bb852c2d709d9bf60f37c66239345

  • SHA256

    c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc

  • SHA512

    076e09b31b1dea5e8542d9c8de80f5a8da811f102bd13e2da766d503931fd811c4a38ffcec50e1a0c641392e571c73af6ea8d41e765f5266a95475e97fbc4223

  • SSDEEP

    98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyC:FRbRYM612MVQbF8gOOCcBhmca3w0o

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

aspava-yachting.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kDWIiPpI

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2760
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1192
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2216
      • C:\Users\Admin\AppData\Local\Temp\c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe
        "C:\Users\Admin\AppData\Local\Temp\c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe"
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:528
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1476
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\efbgffb\bkddccc
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\efbgffb\bkddccc
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\efbgffb\ebddedd
        Filesize

        1KB

        MD5

        c6ce875941479635fe14cb46476ade48

        SHA1

        4391c33280943fa34e72207c57827eee36f94784

        SHA256

        01de3c784f970d2ef480f0a6bad980b696d3ae73c1cb33db12c4125562427f4a

        SHA512

        0df1309238da318e660c76d5f617554688f4d1c4f7b5a70fcf5fcfbf07b576548c983a435daadd53704b97d02a9e9310eab3f212ba25ebc976f85ba45f5f546d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AKEfbBC
        Filesize

        32B

        MD5

        b8724c3a0251a32bd0beb5b4b57d3c7e

        SHA1

        9dd3eedbe9c2950886d8e904f3104327716f73d7

        SHA256

        0cddb5da97707b526221164add44f2cb47f68cb3c3964723536cb99c777771c2

        SHA512

        e060d147fc19575c8afc17c129c0a265a12b25f6195f78988ff8081a8220c237b1f331c3407e32ea2dddf9fee01baf66ff92f5d5dedc47c7effaa535da433989

        Download Submit

      • C:\temp\ebbbbed
        Filesize

        4B

        MD5

        d11fd8be1867af8d32647dfb14715465

        SHA1

        6d2a5f884e3bf8e8eb69ae8b504cf0a8174b3e6e

        SHA256

        2c68171256b5b38b9ca4f885892121163dac86c58e0b20b039ad9345e455ea83

        SHA512

        937faf16f91302e80941dd4ea58b7da412799e1dd1740272b366d854a94e22a1e457b9072b1bce0a3ddb197aff550cc1fded857991b90594fc53987f7fdea240

        Download Submit

      • C:\temp\fcadffc
        Filesize

        4B

        MD5

        cb4b79f88a26c74291aa8949f1f87d17

        SHA1

        699d8f93369695283e0f0545e9b79edc77ce9e2d

        SHA256

        3faaf293f08e9cb2eab2228fe1f2f7403aeffba0641ea3dcc48d8db2a85f23cc

        SHA512

        b1c861ae79a330d4e271135fd739e20c2adad48c4f6c7a170e1f28d80b4f4d85576e0800e8092b96d10db3e1665f802f2a694e448d847372fc12e5dcb9ed8ad7

        Download Submit

      • C:\temp\fcadffc
        Filesize

        4B

        MD5

        65719d7891ad1d1e43bcf3d93a277929

        SHA1

        9160a7f43aa463a14aca0dd0f423da8ac9a19e65

        SHA256

        ad3d9d59c6a87692df8e7b3b80dbd13ca05f0e945b52868b8cd7f7e9ed6d097e

        SHA512

        dff31490fa425eb843e07db59c84cf794568cd43975c15a6fbf4997c8f40d5c42b01fec818029defd9f7c032d3c007aab20b4385cecea01e7b6c036fc6bc14fd

        Download Submit

      • C:\temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        585KB

        MD5

        ecee8b8c60cca255f5e35abc3372ed03

        SHA1

        14b7ea450ac07450748bfd810437c89a1c4eae69

        SHA256

        c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

        SHA512

        e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

        Download Submit

      • memory/528-6-0x00000000026E0000-0x00000000044F5000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/528-1-0x0000000004500000-0x0000000006319000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/1476-17-0x0000000003050000-0x00000000033A5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1476-29-0x0000000003050000-0x00000000033A5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1476-16-0x0000000000920000-0x0000000000D20000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2216-32-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2216-39-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2216-40-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2216-42-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2216-41-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2216-38-0x0000000002060000-0x0000000002802000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2760-43-0x0000000001CF0000-0x0000000002492000-memory.dmp

        Filesize

        7.6MB

        Download