Overview

overview

10

Static

static

3

c4230a6d0a...cN.exe

windows7-x64

10

c4230a6d0a...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe

  • Size

    6.7MB

  • MD5

    654c90460217be81935b7bd2539e21d0

  • SHA1

    2244e387c30bb852c2d709d9bf60f37c66239345

  • SHA256

    c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdc

  • SHA512

    076e09b31b1dea5e8542d9c8de80f5a8da811f102bd13e2da766d503931fd811c4a38ffcec50e1a0c641392e571c73af6ea8d41e765f5266a95475e97fbc4223

  • SSDEEP

    98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyC:FRbRYM612MVQbF8gOOCcBhmca3w0o

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

aspava-yachting.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kDWIiPpI

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2820
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2368
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3836
        • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:628
      • C:\Users\Admin\AppData\Local\Temp\c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe
        "C:\Users\Admin\AppData\Local\Temp\c4230a6d0a1c4156284b4247703f0c135687a1937bfd94d7733fb1401ec65bdcN.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4008
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2540
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fdddeff\bccbabg
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:796
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3520

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\fdddeff\bccbabg
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\fdddeff\bdhhhfb
        Filesize

        1KB

        MD5

        29a1896bb65eebfc65f4692b30d757e1

        SHA1

        18cd48a605e7808b2d9f84f1be0ec4794e50b1ef

        SHA256

        e686bfd47a609be85deb640af17a4d4ad9a7daf571d1b81081a40ee326201a99

        SHA512

        b2dfdcc7aa492cb61de0aab1b60c349747a234f0855aece56d348acdc71b0a32224744af0ad9007a5e51f8fb0531f4a95edeed7f44ada6219aea98b60d003635

        Download Submit

      • C:\Users\Admin\AppData\Roaming\FfdGaEc
        Filesize

        32B

        MD5

        e244500554aab2b293d4b732ea53594b

        SHA1

        d55028541b3cdceb9ddb760225098988088ec123

        SHA256

        0f8bc187b63abd7dec8027253fade60b936ba1e7deb00bdf7f018391350092d4

        SHA512

        6f736773288b2fe0ed19c0e0d438453fece8e1f11cd9ce9da4a1b73b37afc01d9fa2850454458e269afc649344c87fb3a51e3bc8d53853f91e4aa4edb4b9a3d7

        Download Submit

      • C:\temp\bhacabd
        Filesize

        4B

        MD5

        39d8e297f66cc769eee5f9e5c7e3bad1

        SHA1

        822313730e241a84297d453142ad88b4a3ac976c

        SHA256

        0a01c2a0b7f26381341167147bd4fce47f06ad73a33a45ec9f0f25ca7ac61ffb

        SHA512

        c83864c9cf729520471545d94421d0fcb438689ce4cc2ef3c76b265781c987b64ebdec1041a9c9a71c9412bfe05772ab0fce31619d85da066a8972d04985db76

        Download Submit

      • C:\temp\bhacabd
        Filesize

        4B

        MD5

        3d91d7070a4dbaae7ece22436207b6ba

        SHA1

        9e33ba27f62eac1410b0cbf9c03735ff2e79efd0

        SHA256

        5548b79e0e640bda44ab52c5f95fc70cae03e286f274104ef9fbc27d58664dc3

        SHA512

        a382816ce2f570da57f8427ee7c16957c68ac6de5f037e34e218a604292abc13a041ba5b7c02ab0543800c2a32df52b91690833a557c19b38f08784776b6a1b8

        Download Submit

      • C:\temp\hhbdfeg
        Filesize

        4B

        MD5

        4ddcf5db719faf39bdbc6e7b4d1d2641

        SHA1

        f336bc4bc2668d6a4a7a51c0737057c0807a758a

        SHA256

        d369eab888364452f6d984ed12b071538a3dbfa8a53cbaa66bb177f92f1c94ae

        SHA512

        0722b8d2074faa6ed6c6c805cb427035f817d75e223f8e751a907d554db090b9842c2e1fcf967ead90ca56a71e35943ef75a37562b6af37f2f2caf22d18da54d

        Download Submit

      • C:\temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        585KB

        MD5

        ecee8b8c60cca255f5e35abc3372ed03

        SHA1

        14b7ea450ac07450748bfd810437c89a1c4eae69

        SHA256

        c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

        SHA512

        e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

        Download Submit

      • memory/628-38-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/628-30-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/628-37-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/628-40-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/628-39-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/628-36-0x0000000002FF0000-0x0000000003792000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2368-41-0x00000000028F0000-0x0000000003092000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2540-27-0x0000000004370000-0x00000000046C5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2540-14-0x0000000004370000-0x00000000046C5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2540-13-0x00000000013A0000-0x00000000017A0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4008-6-0x0000000002AA0000-0x00000000048B5000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/4008-0-0x00000000048C0000-0x00000000066D9000-memory.dmp

        Filesize

        30.1MB

        Download