xred | 35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Size

34.7MB
MD5

253baf4a712d3bacc42c2c944c688feb
SHA1

9c54c6810b05ad51f31a14acd60131dca259716e
SHA256

35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee
SHA512

3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91
SSDEEP

393216:mXXdmf1JPPIbTv2zqfFOsvSqQs8yDuDhxMewmIaOiRrqNuZif8l1hSp0huAePYn6:Qw1JPGTvXfIsb45O8ZiY1s7g8Sw

Score

10^/10

xred backdoor bootkit discovery persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
740	Synaptics.exe
3720	._cache_Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2984	3544	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	._cache_Synaptics.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4424	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeDebugPrivilege	3720	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeCreatePagefilePrivilege	3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
Token: SeShutdownPrivilege	3720	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3720	._cache_Synaptics.exe
Token: SeShutdownPrivilege	3720	._cache_Synaptics.exe
Token: SeCreatePagefilePrivilege	3720	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
4424	EXCEL.EXE
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3720	._cache_Synaptics.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
3544	._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 3544	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	83
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 3536 wrote to memory of 740	3536	2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe	84
PID 740 wrote to memory of 3720	740	Synaptics.exe	85
PID 740 wrote to memory of 3720	740	Synaptics.exe	85
PID 740 wrote to memory of 3720	740	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 3884
    3⤵
    - Program crash
    PID:2984
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3720

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3544 -ip 3544
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
34.7MB

MD5
253baf4a712d3bacc42c2c944c688feb

SHA1
9c54c6810b05ad51f31a14acd60131dca259716e

SHA256
35acdf1a5578a8605697cc8053509c51e8737921168f6f9917ba72d4e8bdc3ee

SHA512
3cc204d205fc509ebc6b0857de825b1e4fc4c5b0478fe44bb3a0e97d4bed95e67878ebee824e3e69d94b663c0abf7c21c2a31021d4e30e788c7e5451111c4d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1c3c3a439f6400df150a66b04100ab7b

SHA1
588b6fca2a794156f667893eb9547d7e0bfcfffa

SHA256
b4cb73b6230bd4737eeb672f6c982e2de6e9076ecdf0d2a19921b7f2f08f9772

SHA512
f4329ef97a8987ac9195ea89c3f48cf88635b2985f1eba6c6c5225c00e627ec422c03eaa112d5e3576109520be0bf4325e8d9976a8c191bfccb56f855c958f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
471B

MD5
b53693044134a8ca0c1ab6f8dafd76aa

SHA1
af860bf27f299483b0bb4897f29e93a9763415a5

SHA256
94f30126ccfc56044a5afb106537e69803723f015f3e0840dce93d56023808be

SHA512
af8877df4090daf59bbe16c29e406ffea159d7df8ccb56c1bf5e90188bc654b347eb76c9b4cff0874e5d619e0799734deccac99f0e773d6e4d1ac53646ca7848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
928ef8af7c167e1a1f495ec32806d23c

SHA1
b89bfa0b58b353e6989e09e996291bd5caf23040

SHA256
df2ddf87cf4f09af856ae95bcc11ef25a1a24700f6d76a7281e0005f9e4c59e8

SHA512
06ed382a217cda42e96bb588540f17b706c05c122417a1fb8c60faf17fe586b6c9610b299a5fb264f47f2ea5eb42b34fd00ff27735a8cfee7b8d63a52365a1e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
471B

MD5
2be0d2e5e52fe2fa24ffe155f3a0dd43

SHA1
d49f72d71ba4ad6263aa62458a4aa7dd967657a6

SHA256
552c7807b616aacb076347e44af70f044acf7baf4839831c44f12b490734b257

SHA512
4bc19353bac1f82cc542ab1fdc6d65d5bbd3a18cd6588625d355eb45d255dc9bd9cef4886f2648f094230ca8d03b3c1a978b6dac1c6e54055931974f0f24f9bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
afed79916c76a20b9f3be9de4f63a0b3

SHA1
6c8b6bb0532c1bd82ddf4fc43800988001d962aa

SHA256
275a964b01716a73e470216942a9c8ea40df58f29fa7d06e5847111166be46f3

SHA512
36c78862ac5a7dc12bb8ae3b97a61a1e0d63954a70af13bce645083dbfa1e9cc44eb6975a3a6a02e846dff5ecf58c2654b6fecf6a79e291f35b465128657c48f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
894bb1f497d6af8ad463615479a06fd4

SHA1
d5507945bc9b11dd65f40cfdeec4ee8cbd0ec2cf

SHA256
7861b2f2955190aa87c0ace43fb1a636badd5f8ed3fbea18723e0c9a2da2bca3

SHA512
04fecb01cc6d4c7ca770bef3f564d27b7647a04bf4438a2c48bd48ed1512e9c77b98c9b739abb08086ec213769eaf3c838fb0f81eca86488a57c56e885fbe093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
00047fdbc218898842240e2d2c2e105d

SHA1
3ec709b2c267c60a1fa0cf16246355a4c4aa87c3

SHA256
d65e4816e3c1659ba1dd4aa38a8c31e5e17d2f3118760f1bb028bbfb6f255233

SHA512
635850e264a95469cad9da67f9927b213a60a3e6054e8d51ffb773399c424674eb4120bfea8c33aae3cca381a038e62a7443e0c93c2ed14fe6cf5520591dfd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AFF4C9FF97737D462CF50EC898BC7191_BC43DAD391BCDC812EDD5190FB536EA5

Filesize
414B

MD5
b72abadb4f5960f1401361ea1fb238c3

SHA1
9cb753c9794607eabf962fa8b7ae69cecebd8609

SHA256
4933fc76077e5d290a4dffc74c4a57f693affa8e70938d72e09891ca2e1d51c3

SHA512
cd369d03a30085c3613c37390cfee50b165fc5430750854a8b3c107030f267b2d21a088f023685b26df2bc0e8812d8fe5e49590099769d68d1707ab6bf7daee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
2875de4ee72f439bdeaba21692390667

SHA1
880cad8fed9beec490dc960e38987c2d1c7fa354

SHA256
ef6e1fd781ebc905ce849c9b300cfb33bc69de3d8140b806fcf46338d489d710

SHA512
1c5883a4cd7d343ccd611628387827084fe3e0b7619bc46add388bc20ff7dab518eb2029eec4cf7f354737558590302038ee8803a89d6c8c1cad1b792c431c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E

Filesize
404B

MD5
f8d7e2933dab55ca465ab6843611eb69

SHA1
d29a42dd35105c7c3633a2e05c4120b3f6201087

SHA256
453243f703cd236e768450b32c2acc23266a3b104dd370727a5fb5f473dd9669

SHA512
ed2a3ae053016e619dc8b0081383b63d474dd3c3bf740cddb30996eded7cae642fc9a9554ac1649771989bfadb721204f61c3dc6f305d2f9d8bcd07673800a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e54c5dc41d98688d0a317bbc45d2142e

SHA1
60b83b012758c271ef3c0a81a4e56f51e32dd6f8

SHA256
0723fb3eca33edd1dea01fa86b127b13f0b25dee255702a3b54fbc1659e56b44

SHA512
541769557b88ccfb3cad08cc6a092d59af232380435b62232c281997a6ec30a325dc8233c149057746cac9351dfe131d162cd167e5d89ae64ea4cd288a47002c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
444ecdaebf4ac4142e3d49f89a477b71

SHA1
488aaa0312256ed53c3274abfab3eef0fac27860

SHA256
1804e8dc9994e88ec7f37fea7e1e4673f4263cf2845b675ea50a504a66567f01

SHA512
82388333b5a56beb3f32c2baf2007806485e6df95677a75f8c919e6509cf850b2ef7f2006868978ad0c0a3ea7a2fdc364e7e7dac9fd28b62df36105f9fc5ed2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
84b470feee70025d205a0948119314e8

SHA1
be1936b6357b98de0d21c6610f4d15db947ceae4

SHA256
8defc1922ee90b8dd14ed303bd129304a1d13f21855658db117332063b5f3075

SHA512
c424d2e03cc929a2d33fb3290f358ce9b8da83d98ac51b37d0d76326e5cde2a4b1803ef505238f7a0c2ce7f69deefd33b8d5a112137b68e84fff35d75cb9e7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log

Filesize
512KB

MD5
0b2d7ddfd883c98aec72bcc94016b15a

SHA1
a2649316db1f4cb2062e517470ce467a2f97fa01

SHA256
e46b66846fd2e73a640a3bb32df8e6f35e1464dc44f318f8f55515fa58b80cac

SHA512
0c2612d4008d571025ff9ebba1d0f62bcf52c963614346de332c2a93ce28c872f663ff439bc43a51f5f5a4d78049e132a65fc622635308f3f7542c7afaceaa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
481a736233a5005934c302fa622ba4bd

SHA1
8105575bc539345f5e36f41c8f0d30b0140013e4

SHA256
03db63fc0f6b720ec767d1cf81a90362920f4b27c3e54d1689f1f01559f41129

SHA512
18b08e4348e8996ef78753d9250e402a66ef07bfc35771cf5486e7f04368d385224ab0cb62581b99afb33acb1add1c3e6dbeef1ce6fc752e77d160317be39621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
0e56d964b9e4357d9c060762450491df

SHA1
987a16099a9608454484e01275adda4bcf9b2c2c

SHA256
a55e0abcc94392e2a14cbf8196a6837c1efcfce50d1ff0d6a0599efb1bb837c0

SHA512
be778458fe7ee7d25197634771404998496c809dec4bc0b281c2e80083c78ed5b4db488dc02a6a97a25c51b7851afd7ecb86ac0365581c62985aca4ee5a01006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
544b2f2841a77ee73ea816fe33734190

SHA1
e29d37995866558ba807d092449b72bd1070e00b

SHA256
5747eae5fc26f87595c50c32210e09e12b8354fd13cb5a4e28785e268e1d6dbc

SHA512
d165f0a8a078ce637a28ae5b9e8835982fc4a2b479560e30f3cb8e87c90e068f1096c4d957c6de09a0a4380a9e1afbb5e868b12707ed32ba1e3ea3e109d3b426

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-06_253baf4a712d3bacc42c2c944c688feb_darkgate_hijackloader_luca-stealer_magniber.exe

Filesize
34.0MB

MD5
06eadb849e2ee12b9420341705924c02

SHA1
10b23245275539577fd38669bfa0084a0579ee4d

SHA256
9267b511128b7a95c767f018a7954f80ace1d3e5df3682e691b38f83bd65fc28

SHA512
ebaefdc61c81c9f5870c6867cceb7ddbd9ff320a5dd9a950fb513142b433e741ee96f104aaa247968acf56db831b974e51f2bc7c9a1f7a01718622ea701e1aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\81B75E00

Filesize
22KB

MD5
5779d432119de40fb68c3a00cfce7035

SHA1
b43501802ddb9d4a20c26f7f383c10d288dd0cf0

SHA256
13737ef840856de73a195cb3ef164c47b127d18077724215939da60b307e1dd6

SHA512
28938a5ad326adfb98efc32df685ad4c735f2f663be98e82eb1eae3965dadd154fe3f2fcc60cbcdbc6359e676dff8231e241c5e99da2baee0407d33af57821e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\config.def

Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThGtTrWW.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17361302753544.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/740-267-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/3536-136-0x0000000000400000-0x00000000026C6000-memory.dmp

Filesize
34.8MB

Download
memory/3536-0-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3544-121-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3544-72-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3544-73-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3544-122-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3544-282-0x000000000D0F0000-0x000000000D100000-memory.dmp

Filesize
64KB

Download
memory/3544-288-0x000000000D330000-0x000000000D340000-memory.dmp

Filesize
64KB

Download
memory/3544-71-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3544-70-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3544-123-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3544-124-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3720-198-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3720-205-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3720-197-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3720-209-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3720-208-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/3720-207-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3720-206-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/3720-200-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/4424-199-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-203-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-204-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-215-0x00007FF979500000-0x00007FF979510000-memory.dmp

Filesize
64KB

Download
memory/4424-202-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-201-0x00007FF97BC50000-0x00007FF97BC60000-memory.dmp

Filesize
64KB

Download
memory/4424-214-0x00007FF979500000-0x00007FF979510000-memory.dmp

Filesize
64KB

Download