Overview

overview

10

Static

static

3

f7d4f261a9...77.exe

windows7-x64

10

f7d4f261a9...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe

  • Size

    6.7MB

  • MD5

    726baf607d5d6e364c3c610230e371b8

  • SHA1

    809f2cb846a766ff94b7fb86db7d4eab07883975

  • SHA256

    f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77

  • SHA512

    5494fa84d9049d75199aaf494e1a7fe72bf977853558d2ed1565530fd26345615e35eb79476bd28a187778004645597fa0960fc73085a783f97d64ff79482262

  • SSDEEP

    98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyCF:FRbRYM612MVQbF8gOOCcBhmca3w0oF

Score
10/10
darkgatedrk3discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

aspava-yachting.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    kDWIiPpI

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk3

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2852
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1860
      • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1936
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:3872
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
        1⤵
          PID:2060
        • C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe
          "C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4864
          • \??\c:\temp\test\Autoit3.exe
            "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Command and Scripting Interpreter: AutoIT
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:372
            • \??\c:\windows\SysWOW64\cmd.exe
              "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hkaedke\bakabff
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic ComputerSystem get domain
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2720

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\hkaedke\acfaecc
          Filesize

          1KB

          MD5

          c3d4d0971e18f5e4f41de2fb6284cf76

          SHA1

          26adecd1166b96c50faf9f204344274c8a180bc6

          SHA256

          8cc6f679fdefefb90bfa768e8665911b338002facd6dcebdd67456846214b96e

          SHA512

          c49fdd4e07bbcf76c6486e3b58c75d3334c9c56303688cf0a6774c35359ca54862ecf68aad31b22d072f4480c8f6042986a31e543c686e36bfbc29ae7bbca4e5

          Download Submit

        • C:\ProgramData\hkaedke\bakabff
          Filesize

          54B

          MD5

          c8bbad190eaaa9755c8dfb1573984d81

          SHA1

          17ad91294403223fde66f687450545a2bad72af5

          SHA256

          7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

          SHA512

          05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GbcfHbD
          Filesize

          32B

          MD5

          ad514660dc761f2df319b6c365b7a548

          SHA1

          5e27a35d1ec09000f3215ffb3e29506d05be52f6

          SHA256

          015192fff162a52d237f114a1bfe1eb1bbc9a076190a9dba60351fce9ada69c4

          SHA512

          0b78971c36245ecce0fd933391ebcd564312328e1d4e31a857280d2a6c130049a6f4470c8028cff63084928798a92d617704843dc82b14501c8be89c7ba77066

          Download Submit

        • C:\temp\ckbkgdd
          Filesize

          4B

          MD5

          a679f4c23006ebb968305aeb848932fd

          SHA1

          5ea6613a63620c5db9efb9365c47af69a3e22d44

          SHA256

          946e211677ffa2cabd39989df28404f0fb381ff2a3cbdcd59c51689ca3787a19

          SHA512

          453db6f20de7ca63bca7be1a2274c3d94141b5b2f25ed495472d7f911f4be41a940b1b42e7916a59311833485d7882171f1d3d1851ae1d5b66fdb4f7a3c89c23

          Download Submit

        • C:\temp\ckbkgdd
          Filesize

          4B

          MD5

          b7aa777387e89f6fa13680352dae6aa0

          SHA1

          10ff30e4c8ff3f894b1fa77aa7a58b3f80b2e409

          SHA256

          3092108ce535c03d920ef8d16bd85532a5404e5f55c5a8eb509ad578491a6a2f

          SHA512

          fcac1d0f6eb49925c21fd4d36eedeaab75f94ff679e4b46bcf7b981d93380125a64e6b66214b2dccbd32e4fd44db7ec0b842e0389810129c4d52f033549bfe86

          Download Submit

        • C:\temp\hfeeceh
          Filesize

          4B

          MD5

          23e3cffbe0db6041ea1f900f8979b941

          SHA1

          53ca915a052c3b590659d61eccc21ccd2c98a107

          SHA256

          dd658b9a04df93227182a69edec6dd73f9db75e6a31b447633075c3bfb7f6f9e

          SHA512

          9d1c39a030cae5424c2bdf0e5663247a6efe4b147aa13181fc97b66c22aed11ce86191c286d5fde451975ff0d36e3428ac6a66de3a49e665363c3c35a71468d0

          Download Submit

        • C:\temp\test\Autoit3.exe
          Filesize

          872KB

          MD5

          c56b5f0201a3b3de53e561fe76912bfd

          SHA1

          2a4062e10a5de813f5688221dbeb3f3ff33eb417

          SHA256

          237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

          SHA512

          195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

          Download Submit

        • \??\c:\temp\test\script.a3x
          Filesize

          585KB

          MD5

          ecee8b8c60cca255f5e35abc3372ed03

          SHA1

          14b7ea450ac07450748bfd810437c89a1c4eae69

          SHA256

          c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

          SHA512

          e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

          Download Submit

        • memory/372-15-0x0000000003D50000-0x00000000040A5000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/372-27-0x0000000003D50000-0x00000000040A5000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/372-14-0x0000000000E10000-0x0000000001210000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1860-30-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1860-37-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1860-38-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1860-40-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1860-39-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1860-36-0x00000000028E0000-0x0000000003082000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/1936-41-0x0000000002FC0000-0x0000000003762000-memory.dmp

          Filesize

          7.6MB

          Download

        • memory/4864-0-0x00000000047B0000-0x00000000065C9000-memory.dmp

          Filesize

          30.1MB

          Download

        • memory/4864-5-0x0000000002990000-0x00000000047A5000-memory.dmp

          Filesize

          30.1MB

          Download