darkgate | a75197137718a7ab7e63ed48f1ffae611768ad3c9a9babc65165ac5ec1131b4e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe
Size

4.9MB
MD5

1b46d77faf5e28b73a54fbb8623968d1
SHA1

466b490653adde204527af534c140444fd078f7e
SHA256

a75197137718a7ab7e63ed48f1ffae611768ad3c9a9babc65165ac5ec1131b4e
SHA512

ae4e13cded9cfa7747b250e1ecb974b2099a333f831ecba30cf52ff3a67e412f2e8487ac7c7feeb0f1c970bc83b216cf398a375cdf3c962117ee5fca879a26a6
SSDEEP

98304:TikqNYWjk6M3DfOzcO4sCsvgbBU54zCXBOooIk+JAj:TiTNjk6M3zOAOTxI8mCR4/L

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

harlemsupport.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wvAQVXRk
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 9 IoCs

resource	yara_rule
behavioral1/memory/2080-17-0x00000000030D0000-0x0000000003425000-memory.dmp	family_darkgate_v6
behavioral1/memory/2080-28-0x00000000030D0000-0x0000000003425000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-31-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-38-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-39-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-41-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-40-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/964-42-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6
behavioral1/memory/1888-43-0x0000000001E60000-0x0000000002602000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2080 created 1412	2080	Autoit3.exe	34
PID 964 created 1156	964	GoogleUpdateCore.exe	20

Executes dropped EXE 1 IoCs

pid	Process
2080	Autoit3.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\fehfkdh = "\"C:\\ProgramData\\fcabbeh\\Autoit3.exe\" C:\\ProgramData\\fcabbeh\\beheaee.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\fehfkdh = "\"C:\\ProgramData\\fcabbeh\\Autoit3.exe\" C:\\ProgramData\\fcabbeh\\beheaee.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2080	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2080	Autoit3.exe
2080	Autoit3.exe
964	GoogleUpdateCore.exe
964	GoogleUpdateCore.exe
1888	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
964	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe
Token: 35	1412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe
Token: 35	1412	WMIC.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2080	2324	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe	30
PID 2324 wrote to memory of 2080	2324	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe	30
PID 2324 wrote to memory of 2080	2324	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe	30
PID 2324 wrote to memory of 2080	2324	2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe	30
PID 2080 wrote to memory of 2052	2080	Autoit3.exe	32
PID 2080 wrote to memory of 2052	2080	Autoit3.exe	32
PID 2080 wrote to memory of 2052	2080	Autoit3.exe	32
PID 2080 wrote to memory of 2052	2080	Autoit3.exe	32
PID 2052 wrote to memory of 1412	2052	cmd.exe	34
PID 2052 wrote to memory of 1412	2052	cmd.exe	34
PID 2052 wrote to memory of 1412	2052	cmd.exe	34
PID 2052 wrote to memory of 1412	2052	cmd.exe	34
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 2080 wrote to memory of 964	2080	Autoit3.exe	36
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37
PID 964 wrote to memory of 1888	964	GoogleUpdateCore.exe	37

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156
- C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1888

C:\Users\Admin\AppData\Local\Temp\2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2080
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\fcabbeh\ehbhhdg
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1412
    - - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fcabbeh\cdbbdhe

Filesize
1KB

MD5
d8a041c230d76a18047ba03b4deceeea

SHA1
474a55989f1b30a05c3900fa3204d7151f67004e

SHA256
4cb17de513ad8a9608c444f534440f03312fed54f61bc6bc5ca89f8acfe00ba8

SHA512
7ce8c72eb05b94ffeb145177fc36efca71b6c869b3b3a05b673f03086aa932d163e05faf2960a61d1d5067d9191dc9068f066c6349de84ebf493e32e7efc850e

Download Submit
C:\ProgramData\fcabbeh\ehbhhdg

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\EAfEEDH

Filesize
32B

MD5
abd300b1fbd7a38ae89d70eb07d13d44

SHA1
a9d8f51de9eb47597e75b0e8dc67629caeec4809

SHA256
05f37b0eb374d343f63b64d00547ed77c24e29a7feadbde6af0c80f8971f4f72

SHA512
36f75783dc6ec30d8dab112bb367a4235b4ccd3e7a2d12055ae766ec431bc578088e107de9a98c85907bc2f45d31c1575effdc81b869488cd54f50d17fd1607c

Download Submit
C:\temp\afffbga

Filesize
4B

MD5
b968963a8baa061dd2c206c17fe59223

SHA1
73a1e3fdf6771b06d8492aab02fbd509ab36568b

SHA256
f8547033a3bc85d9dad322aca1a958365952a8836487a5240bfb8bd7a6e7bc45

SHA512
9ba58d1e746240039848d3029ca44d448e15eac038daf51701d467390cc755bbcec6084bf4a23f25f1adddd220eb7830983e4ef3a6ca5a10766efb3b81d2b09d

Download Submit
C:\temp\eefddeg

Filesize
4B

MD5
abd7457ad49ced75574b575392eab269

SHA1
2c5319328b7e58781ab2f1814178ee7a657e04ae

SHA256
6e494a3aaafca751eebf219dc7ba78eefaf70a96c19e77f0d2f1cff958ebed02

SHA512
21f514ee512407c3763f91834bb6d8c5b836a1f1e42e192a10a173ea6a626e0b3763e67dded25728629b38ce0f6dbfed9a808cb51c2686c69c79191101f23253

Download Submit
C:\temp\eefddeg

Filesize
4B

MD5
1a61d60d96924c33cb1228199a745adf

SHA1
f58239093b1324a3ddab4728849fe8414677ec22

SHA256
862778b79b29bdbbb4e891a939a7a2fb4eaf6868900783b80bef68b192884a3a

SHA512
e66f510d417cf485f837be5636f9076e6432dd9238081f690a1f8f75c975e8e23262e5fc3b33fc6621d5dfb21efeba85ae840a60ec4b6e1f65bcc2b240b5fcde

Download Submit
\??\c:\temp\test\script.a3x

Filesize
582KB

MD5
755cff72d6a7d57b917958c3ee5c21d9

SHA1
a3942cf103d2e943410dd8d420b33bdb497abd29

SHA256
aba7e08fbaba1ae945fa2f41304713c78bf2f1cf86aedf04f3d38cc6db635516

SHA512
4b5ed8200f807ef6b8ef6fc9795a5d5a670fd61a19a1508773cd10d5e095b5ba482f4f5e18ade2bd7acbab591627f4832e2cf4b3333cb0c4aef831697fcc3191

Download Submit
\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/964-39-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/964-31-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/964-38-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/964-41-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/964-40-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/964-42-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/1888-43-0x0000000001E60000-0x0000000002602000-memory.dmp

Filesize
7.6MB

Download
memory/2080-28-0x00000000030D0000-0x0000000003425000-memory.dmp

Filesize
3.3MB

Download
memory/2080-17-0x00000000030D0000-0x0000000003425000-memory.dmp

Filesize
3.3MB

Download
memory/2080-16-0x00000000009A0000-0x0000000000DA0000-memory.dmp

Filesize
4.0MB

Download
memory/2324-6-0x0000000002570000-0x0000000004384000-memory.dmp

Filesize
30.1MB

Download
memory/2324-0-0x0000000004390000-0x00000000061A8000-memory.dmp

Filesize
30.1MB

Download