Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-12-2024 19:54
General
-
Target
2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe
-
Size
4.9MB
-
MD5
1b46d77faf5e28b73a54fbb8623968d1
-
SHA1
466b490653adde204527af534c140444fd078f7e
-
SHA256
a75197137718a7ab7e63ed48f1ffae611768ad3c9a9babc65165ac5ec1131b4e
-
SHA512
ae4e13cded9cfa7747b250e1ecb974b2099a333f831ecba30cf52ff3a67e412f2e8487ac7c7feeb0f1c970bc83b216cf398a375cdf3c962117ee5fca879a26a6
-
SSDEEP
98304:TikqNYWjk6M3DfOzcO4sCsvgbBU54zCXBOooIk+JAj:TiTNjk6M3zOAOTxI8mCR4/L
Malware Config
Extracted
darkgate
drk3
harlemsupport.com
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
wvAQVXRk
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
drk3
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Darkgate family
-
Detect DarkGate stealer 9 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-23_1b46d77faf5e28b73a54fbb8623968d1_luca-stealer_magniber.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\test\Autoit3.exe"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dbffghd\hdkhbea3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5431162efd457e666d2e1400d7c33b08c
SHA134b6d01b1e117db9e0e4d473f2f2249bcc5cf980
SHA2568ed1a029636678369c82e2d12fde2092f288c4d03301e8fe7b08d2cba768cc6b
SHA5120b2883c5441a510d14279e765fff5e5a1539408db3ce784b392d7381702debc6c4ebad0fd94d8224dadc7c99080940de4af47e57d42786f85a25691db37f9b80
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
32B
MD51cd00e954e4c08b4bce51af5c2d0c805
SHA19d8ad1e0024ada35d530fb305a0887d03cb3058a
SHA25694a3e0d337498f0af1756e633a0e1a723fcce23e1d84929e9ba330346e0504a1
SHA51217399625cdb0a96a99a4b28548fdbf51c57cb3c98304aa14fa3736355a0b149749269bdc1d5663a18b3fe6e14a71f0d182dd9c57bb385d95b570f6d24e735d26
-
Filesize
4B
MD5a2a52e81de8a044d2e35ae7513e55376
SHA1b6fe84652b5451598e6d708eaabb6587bea779d7
SHA2568f99bdb3f3f452e8d6f117e978a4fc998a04441f4b344a51cf75f09bdb4d9f39
SHA512bcd415938ea103f463917b5e3bed6de2450026ff702ca01679c4968cdbfb77a01e489879077a5628d13a8d8a8ce7c92df0ede9e7515bc778caaede91d95d99c8
-
Filesize
4B
MD542f46b7c0dc7967a0a4fc45737a7209a
SHA15078f509dea801524b14533ebc2750b2fb4069c4
SHA2565e5795ec015d168e649ae2cf1e23442edba9e430bd0fd994cd72ef527989d6eb
SHA512619a93d1a17b375d4cdccfaf3e4369e0732da35c25166b8b366d6370275b9081eafdfe8a905d5f15c54796c1fd8ce4b464e55a41a265f36f6d2218b0cc1c734b
-
Filesize
4B
MD5cf8623084c3ec71a83f5ec78f65f0e08
SHA17584ba1b54c6df65ae7e51e27ccbc635c41f046a
SHA25612cb384d4160e4525b731c8407d94167d4c9d80d5c4800f36e7f18f395beaea5
SHA5125a30f7574a33a41d4ed7eb09b86f3e0145d4bae2cbec57e12c6460f71db62fee8bcfd2d67f3f7dc642275815aad0c7476a10e0456827587a42f61c1feff44437
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
582KB
MD5755cff72d6a7d57b917958c3ee5c21d9
SHA1a3942cf103d2e943410dd8d420b33bdb497abd29
SHA256aba7e08fbaba1ae945fa2f41304713c78bf2f1cf86aedf04f3d38cc6db635516
SHA5124b5ed8200f807ef6b8ef6fc9795a5d5a670fd61a19a1508773cd10d5e095b5ba482f4f5e18ade2bd7acbab591627f4832e2cf4b3333cb0c4aef831697fcc3191
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
4.0MB
-
Filesize
30.1MB
-
Filesize
30.1MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB