Overview

overview

10

Static

static

1

4f30d97512...b4.exe

windows7-x64

10

4f30d97512...b4.exe

windows10-2004-x64

10

Resubmissions

20-01-2025 10:46

250120-mvfzsavrfl 10

20-01-2025 10:44

250120-msy3ksvpav 10

Analysis

  • max time kernel
    126s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe

  • Size

    3.0MB

  • MD5

    23bf3de50090db1ed82a2def00c5ffb7

  • SHA1

    0fdb26c6202acb33eea938da1a492504035ff8c1

  • SHA256

    4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4

  • SHA512

    d3e76bac82a243f953cb325b56ab37ac7297571caf82045adcec92b6918ed3a6d775d7838328cdeec72b7178180c0aea98a9a4f5ac1c97d2d66de07af6038553

  • SSDEEP

    49152:539fvhv48oM1tSkH+mO5MnkPSf+WE3X4izV4olmSFYH0upWbnGDVBe1AGLZ3yZDY:dpZRdUOkPYE35V4olmSFYUupW6ezLZ3N

Score
10/10
darkgatedrk2discoveryexecutionpersistencestealer

Malware Config

Extracted

Family

darkgate

Botnet

drk2

C2

179.60.149.194

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    80

  • check_disk

    false

  • check_ram

    false

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    rsFxMyDX

  • minimum_disk

    100

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    drk2

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Darkgate family
    darkgate
  • Detect DarkGate stealer 9 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
      • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        2⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2952
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:288
        • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
          "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2748
      • C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
        "C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe"
        1⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2172
        • \??\c:\temp\test\Autoit3.exe
          "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Command and Scripting Interpreter: AutoIT
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2216
          • \??\c:\windows\SysWOW64\cmd.exe
            "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kcbbdaf\dgdhabd
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic ComputerSystem get domain
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:3048

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\kcbbdaf\dgdhabd
        Filesize

        54B

        MD5

        c8bbad190eaaa9755c8dfb1573984d81

        SHA1

        17ad91294403223fde66f687450545a2bad72af5

        SHA256

        7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

        SHA512

        05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

        Download Submit

      • C:\ProgramData\kcbbdaf\hbadaee
        Filesize

        1KB

        MD5

        e7d641bb0b7d394cedadccfd96d6286d

        SHA1

        6212d28897ab28d78732a4a609810a5722b3fefc

        SHA256

        3bc6b009a5492acf0807b76150fe16abea16b2901ce8c9805b36fa4020176f2c

        SHA512

        d1a5afa541ebe8883794b9ff5e4563ddada6ea36b8c713881a627911e63f86344e38d3cb1c8dc62a851992859964c8549b4f2106477a83e6661c21aa9efa0723

        Download Submit

      • C:\Users\Admin\AppData\Roaming\aAEcCab
        Filesize

        32B

        MD5

        415a543b3f578f828a5b08f86f3081ce

        SHA1

        0c80c280abaf09f974147f9433efbbf22d99e0dc

        SHA256

        1e8c72ed28f236039649148223251685fba7dbb42edeb63b262997581aa2d01c

        SHA512

        cdb202d1e5554ecec56641bc62579a483774cc614718e5b527c6bcc9040a670a9162bc911b7e35058584c84dad95f0fa422b2a2d52bdc5a65f41f861c93dd4ad

        Download Submit

      • C:\temp\aedcfhf
        Filesize

        4B

        MD5

        515e7a3e591375a6955a40ef78a052c0

        SHA1

        c366188818b87f88da03a6f0572c3dd5e6c167f5

        SHA256

        d73e07a4e3b5d2603180d92fcb7a354ea0ad65a95227bab274158862cd30a029

        SHA512

        a94cac2b7a242db3b6f75761c0373a013ea3ee5c51dcc5b69382736eaebd509dc500b142c83985ea95f4af55b0ed50869a56c0bf482a2f312ad783e87ce464a5

        Download Submit

      • C:\temp\aedcfhf
        Filesize

        4B

        MD5

        399c3623be8115ad4a18bbe255e699eb

        SHA1

        b789779bad01385458bfdde428a5fb85b9c30bdd

        SHA256

        3937c0c54d1dfd20f07d92d822702257989c414d89bffdf3e7ed64bed769f015

        SHA512

        b453f14dcc41a00627757a79c3a6123fc17d04963125b7c86b0eaf84855e3c214270ab330fcb0cb25a4c51e4d765fb345ab49cfa651453fded772b9486975788

        Download Submit

      • C:\temp\hfdhehd
        Filesize

        4B

        MD5

        62e7e15017817fde7d510e134ba24e12

        SHA1

        21d6bedc8a9fe11c2f7b8351835b48389ba82f63

        SHA256

        79050c22230ff0e6cb1e46af4755ab7bd3d2e774a61ad00f515a974cdeff2227

        SHA512

        8fbf3bf23b23eaee8a3297bfcfc37cad855bc7dc00778a3337575e34084b0332bab0d2da92c45dc9b6e5317629a593f59b43b22028c087bbc94474c3d8ebaa32

        Download Submit

      • C:\temp\test\Autoit3.exe
        Filesize

        872KB

        MD5

        c56b5f0201a3b3de53e561fe76912bfd

        SHA1

        2a4062e10a5de813f5688221dbeb3f3ff33eb417

        SHA256

        237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

        SHA512

        195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

        Download Submit

      • \??\c:\temp\test\script.a3x
        Filesize

        582KB

        MD5

        28a5b7b44a0d1f67d125d5b768bc6398

        SHA1

        f26b962d6fa77dd96a50709c33fbe68025926158

        SHA256

        bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922

        SHA512

        ad8f3bc9bb49563922abbbd28a5dc17a79834f6d59de340d9e4f16e933838d1a23e381ea61c6c2c64980789afd6f662ce0f0d9346abac902c0f0c4635b61e46b

        Download Submit

      • memory/2172-7-0x00000000024E0000-0x000000000265C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2172-1-0x00000000024E0000-0x000000000265C000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2216-12-0x0000000003090000-0x00000000033E5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2216-24-0x0000000003090000-0x00000000033E5000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2216-11-0x00000000007F0000-0x0000000000BF0000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2748-27-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2748-34-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2748-35-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2748-36-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2748-33-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2748-37-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/2952-38-0x0000000001F10000-0x00000000026B2000-memory.dmp

        Filesize

        7.6MB

        Download