Overview

overview

10

Static

static

3

f7d4f261a9...77.exe

windows7-x64

10

f7d4f261a9...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe

  • Size

    6.7MB

  • MD5

    726baf607d5d6e364c3c610230e371b8

  • SHA1

    809f2cb846a766ff94b7fb86db7d4eab07883975

  • SHA256

    f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77

  • SHA512

    5494fa84d9049d75199aaf494e1a7fe72bf977853558d2ed1565530fd26345615e35eb79476bd28a187778004645597fa0960fc73085a783f97d64ff79482262

  • SSDEEP

    98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyCF:FRbRYM612MVQbF8gOOCcBhmca3w0oF

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

aspava-yachting.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kDWIiPpI

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1184
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2456
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:1532
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:2972
      • C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe
        "C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe"
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1820
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2440
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ekgcche\dfdfcff
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\ekgcche\dfdfcff
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\ekgcche\dhebaaf
        Filesize

        1KB

        MD5

        814cb17f56a5bde2ab9fda6104183f18

        SHA1

        62e34c52d2a14be9afbdb3eeae9bacbeb73376d8

        SHA256

        1d2feb5220cf3a3d0b2b2c2dfcd74196ceb8dba6be8e30622b158f2343873a04

        SHA512

        0d94478c58791b10850cbc4b461be3e1c4cbf0bd2ab0e99862305d85c02b43b1661f9683a99d2ef2baea7227662b6870c20c46e84dd2afc24c894c6403dfadf1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AKAaefc
        Filesize

        32B

        MD5

        30a5982c9432040ffc27349ff88ea117

        SHA1

        0129b2650851ac66e9b87d44af26af36adbbdc9e

        SHA256

        0acaeddd1d4bc410266199a7feffddd2a44ab888e6afa8e250c4ea0284f642d4

        SHA512

        1a0d7edc991ad7648f9922abca2556dd2b5a634a483bdcc27d4e20bcacd17a13a0b1cc3179d2ecc1e329fd08ddbec41414ecaed0ba633b499b726c3d07cc1494

        Download Submit

      • C:\temp\bedkfah
        Filesize

        4B

        MD5

        f8ce33b2fd057ace1eda893bb5f79c6a

        SHA1

        e2c73ab2750396ecda7e5d7e4d9320783e34ef62

        SHA256

        d102e4d52a16eba7fa4f389cb76f60eb99ee82f31d2a2fd41c76f6bb4e21e23c

        SHA512

        e2face1876b3cfe63bc453212dcd570e252c26cca8784c2dd768b7991471c3c448a31da49c529e764ff312de6dcb396f95e686292215161cab56b44a46842e4e

        Download Submit

      • C:\temp\cadfebh
        Filesize

        4B

        MD5

        9fa69d87e132bd2784b5f4f68cb0a30d

        SHA1

        199d030f2e24742fa0b33dba12b60a9e693fde96

        SHA256

        1b8b1045f57fd5625c5a80c8ceb03f24a352a6aa61646b6ef8b846c6e3815966

        SHA512

        3d2b1271b0f60710dfbd63c4990cffe05c437fa18570e53a604985e7cd488ce5784121970aebd33dfd501d1a5e2942d5512fa7c3eae66288fc5a1af547c6cd15

        Download Submit

      • C:\temp\cadfebh
        Filesize

        4B

        MD5

        27131be398720cc04731acce24c625de

        SHA1

        1c408952d4b28e9942c37c30ff285a5f44c7ae76

        SHA256

        d8732f94be1abed84159ed9cb0d6175a2f6ae34191399660e4957d7819c9b4b9

        SHA512

        5936321e79c47d3956e7eedce55ce6ed133c99c74e5565ebbd1785460b4e5a144a451231ac6669403c1c1382388162216ff65caded48a81e851b721dc2039325

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        585KB

        MD5

        ecee8b8c60cca255f5e35abc3372ed03

        SHA1

        14b7ea450ac07450748bfd810437c89a1c4eae69

        SHA256

        c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

        SHA512

        e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

        Download Submit

      • \temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • memory/1820-0-0x0000000004520000-0x0000000006339000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/1820-6-0x0000000002700000-0x0000000004515000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/2440-17-0x0000000003020000-0x0000000003375000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2440-16-0x00000000009B0000-0x0000000000DB0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2440-29-0x0000000003020000-0x0000000003375000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2456-32-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2456-40-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2456-41-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2456-39-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2456-38-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2456-42-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2972-43-0x0000000002050000-0x00000000027F2000-memory.dmp

        Filesize

        7.6MB

        Download