darkgate | f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe
Size

6.7MB
MD5

726baf607d5d6e364c3c610230e371b8
SHA1

809f2cb846a766ff94b7fb86db7d4eab07883975
SHA256

f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77
SHA512

5494fa84d9049d75199aaf494e1a7fe72bf977853558d2ed1565530fd26345615e35eb79476bd28a187778004645597fa0960fc73085a783f97d64ff79482262
SSDEEP

98304:FRXveERYHssF12MVwjbFGzdaDMF/Qi0GyREcBhmca3wjA5Ok/OyCF:FRbRYM612MVQbF8gOOCcBhmca3w0oF

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kDWIiPpI
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral1/memory/2156-17-0x0000000003020000-0x0000000003375000-memory.dmp	family_darkgate_v6
behavioral1/memory/2156-29-0x0000000003020000-0x0000000003375000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-32-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-39-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-40-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-42-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-41-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2772-38-0x0000000001E10000-0x00000000025B2000-memory.dmp	family_darkgate_v6
behavioral1/memory/2892-43-0x0000000001E50000-0x00000000025F2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2156 created 1164	2156	Autoit3.exe	20
PID 2772 created 1112	2772	GoogleUpdateCore.exe	19

Executes dropped EXE 1 IoCs

pid	Process
2156	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\hchakbf = "\"C:\\ProgramData\\hbkaagh\\Autoit3.exe\" C:\\ProgramData\\hbkaagh\\gcdgehd.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\hchakbf = "\"C:\\ProgramData\\hbkaagh\\Autoit3.exe\" C:\\ProgramData\\hbkaagh\\gcdgehd.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2156	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2156	Autoit3.exe
2156	Autoit3.exe
2772	GoogleUpdateCore.exe
2772	GoogleUpdateCore.exe
2892	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3036	WMIC.exe
Token: SeSecurityPrivilege	3036	WMIC.exe
Token: SeTakeOwnershipPrivilege	3036	WMIC.exe
Token: SeLoadDriverPrivilege	3036	WMIC.exe
Token: SeSystemProfilePrivilege	3036	WMIC.exe
Token: SeSystemtimePrivilege	3036	WMIC.exe
Token: SeProfSingleProcessPrivilege	3036	WMIC.exe
Token: SeIncBasePriorityPrivilege	3036	WMIC.exe
Token: SeCreatePagefilePrivilege	3036	WMIC.exe
Token: SeBackupPrivilege	3036	WMIC.exe
Token: SeRestorePrivilege	3036	WMIC.exe
Token: SeShutdownPrivilege	3036	WMIC.exe
Token: SeDebugPrivilege	3036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3036	WMIC.exe
Token: SeRemoteShutdownPrivilege	3036	WMIC.exe
Token: SeUndockPrivilege	3036	WMIC.exe
Token: SeManageVolumePrivilege	3036	WMIC.exe
Token: 33	3036	WMIC.exe
Token: 34	3036	WMIC.exe
Token: 35	3036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3036	WMIC.exe
Token: SeSecurityPrivilege	3036	WMIC.exe
Token: SeTakeOwnershipPrivilege	3036	WMIC.exe
Token: SeLoadDriverPrivilege	3036	WMIC.exe
Token: SeSystemProfilePrivilege	3036	WMIC.exe
Token: SeSystemtimePrivilege	3036	WMIC.exe
Token: SeProfSingleProcessPrivilege	3036	WMIC.exe
Token: SeIncBasePriorityPrivilege	3036	WMIC.exe
Token: SeCreatePagefilePrivilege	3036	WMIC.exe
Token: SeBackupPrivilege	3036	WMIC.exe
Token: SeRestorePrivilege	3036	WMIC.exe
Token: SeShutdownPrivilege	3036	WMIC.exe
Token: SeDebugPrivilege	3036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3036	WMIC.exe
Token: SeRemoteShutdownPrivilege	3036	WMIC.exe
Token: SeUndockPrivilege	3036	WMIC.exe
Token: SeManageVolumePrivilege	3036	WMIC.exe
Token: 33	3036	WMIC.exe
Token: 34	3036	WMIC.exe
Token: 35	3036	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2156	2368	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe	30
PID 2368 wrote to memory of 2156	2368	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe	30
PID 2368 wrote to memory of 2156	2368	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe	30
PID 2368 wrote to memory of 2156	2368	f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe	30
PID 2156 wrote to memory of 2392	2156	Autoit3.exe	31
PID 2156 wrote to memory of 2392	2156	Autoit3.exe	31
PID 2156 wrote to memory of 2392	2156	Autoit3.exe	31
PID 2156 wrote to memory of 2392	2156	Autoit3.exe	31
PID 2392 wrote to memory of 3036	2392	cmd.exe	33
PID 2392 wrote to memory of 3036	2392	cmd.exe	33
PID 2392 wrote to memory of 3036	2392	cmd.exe	33
PID 2392 wrote to memory of 3036	2392	cmd.exe	33
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2156 wrote to memory of 2772	2156	Autoit3.exe	36
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37
PID 2772 wrote to memory of 2892	2772	GoogleUpdateCore.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2772

C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe
"C:\Users\Admin\AppData\Local\Temp\f7d4f261a959d790aaca39d1ebb9f26c4623c52c074776590394216bb810ff77.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hbkaagh\dfhddhb
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hbkaagh\bdeaaka

Filesize
1KB

MD5
cced1d2efbd0291179e0310fa9308ce3

SHA1
e7001b1bc4a6c3ad696a82656079222acd0988ef

SHA256
30507abcad8202b25c7d32025ee2b43764f2441b2991c2361ed99195a0a2acc0

SHA512
540b5710843f345c28d71c8fe7901dffcb0a9ffd4170b273e83fcd7e7de8a4a1fe4e8d5d6a247c334423b4ffe94bfe29e0eaf1c0801549bb1c67412c2d62935b

Download Submit
C:\ProgramData\hbkaagh\dfhddhb

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\GDCCEeb

Filesize
32B

MD5
3a23689e0bca4f6cb0340501effc1a79

SHA1
cd9ef8a85f3af1a6b49a2e398c20c4f14144818e

SHA256
0364a3372d4414591bb8969ac4de679e55a6d535bbc3379c9fc6e08f1e6200eb

SHA512
448864ff158f4b7cc81a2e34fa791c29b8ed5e30fc06cd37df23ebf5c70284c1a5a2caf5fcbf877a2bd82fbae181f69eacfd06f44ad178ca77137ae653872a2a

Download Submit
C:\temp\bacbffe

Filesize
4B

MD5
1441b21f1716aacc799c4eee3aa808a4

SHA1
ffb88bd42048dc4548d9b38b086a22efce7f9cc6

SHA256
f5b02265351b197bad563785b872d57ae4b37668a7dbc121fa88e9b0ae798faa

SHA512
58a652c314f8958263f2415e92e0fceaffebb2d8251cb351ef26105906aae5b19c0b54b171494888bcbb6b1d9e2de874d63677cb3bd84dbaa022de0d769b9263

Download Submit
C:\temp\bacbffe

Filesize
4B

MD5
df7fc5eaaad659c731675e08a928cc9e

SHA1
656021e7a7ceb5b56024ad1f952a3090159098b8

SHA256
8ed4b12399b1173e06d87f1be6bf5c3345355162ca24152abc370c5d02b8c191

SHA512
e75cac0177b8927bc3090d6eb44fe415a1752ab5693301d0b1ccddc3a4e10852b3c5effd9a82391f996d14cab58724871a222ec507450f9569ba70d52a1aca1e

Download Submit
C:\temp\hccbkac

Filesize
4B

MD5
823de628c774dbc4629de410f25c43cd

SHA1
f9e806abfc9d2965ce3bcc1a8812a0ce2f57b696

SHA256
da5dd4f0cd1b7002e3586fa8262f1501f0b96b6be0a705e9f36388e6b5493c2a

SHA512
e9abf9c14eaa459bf32a013592255881b4b915fa69a6d3a7cb8ca4fe23eb653c2befd4332948d3e2ba936828c50d3c0d11d06e601f6401e93d2505b9fe05ef4f

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
585KB

MD5
ecee8b8c60cca255f5e35abc3372ed03

SHA1
14b7ea450ac07450748bfd810437c89a1c4eae69

SHA256
c7377cf160039a8fb2bccac03992cb35da9d5c3097c52b4324526b26fe974ded

SHA512
e468130371ec6399fa1f154a9a6408bd86781bad8b5eb6d0edfa1bff520a47d83bf78b557f873cf255b274dfb6bf9ace559856a8bc28af96a59582ff617bbe7a

Download Submit
memory/2156-16-0x0000000000900000-0x0000000000D00000-memory.dmp

Filesize
4.0MB

Download
memory/2156-29-0x0000000003020000-0x0000000003375000-memory.dmp

Filesize
3.3MB

Download
memory/2156-17-0x0000000003020000-0x0000000003375000-memory.dmp

Filesize
3.3MB

Download
memory/2368-2-0x00000000043A0000-0x00000000061B9000-memory.dmp

Filesize
30.1MB

Download
memory/2368-8-0x0000000002580000-0x0000000004395000-memory.dmp

Filesize
30.1MB

Download
memory/2772-32-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2772-39-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2772-40-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2772-42-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2772-41-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2772-38-0x0000000001E10000-0x00000000025B2000-memory.dmp

Filesize
7.6MB

Download
memory/2892-43-0x0000000001E50000-0x00000000025F2000-memory.dmp

Filesize
7.6MB

Download