darkgate | 07193b01c5787e5b105cf683dea272f98cd9d049a6d15309c1c1470af29f7775

Resubmissions

20-01-2025 10:46

250120-mvfzsavrfl 10

20-01-2025 10:44

250120-msy3ksvpav 10

Analysis

max time kernel
109s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
Size

3.0MB
MD5

23bf3de50090db1ed82a2def00c5ffb7
SHA1

0fdb26c6202acb33eea938da1a492504035ff8c1
SHA256

4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4
SHA512

d3e76bac82a243f953cb325b56ab37ac7297571caf82045adcec92b6918ed3a6d775d7838328cdeec72b7178180c0aea98a9a4f5ac1c97d2d66de07af6038553
SSDEEP

49152:539fvhv48oM1tSkH+mO5MnkPSf+WE3X4izV4olmSFYH0upWbnGDVBe1AGLZ3yZDY:dpZRdUOkPYE35V4olmSFYUupW6ezLZ3N

Score

10^/10

darkgate drk2 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk2

179.60.149.194

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
rsFxMyDX
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk2

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral2/memory/3280-9-0x0000000004170000-0x00000000044C5000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-20-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/3280-23-0x0000000004170000-0x00000000044C5000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-26-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-33-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-34-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-35-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-36-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-32-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6
behavioral2/memory/856-37-0x00000000023E0000-0x0000000002B82000-memory.dmp	family_darkgate_v6
behavioral2/memory/2024-38-0x0000000002E50000-0x00000000035F2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3280 created 2816	3280	Autoit3.exe	76
PID 3280 created 3972	3280	Autoit3.exe	59
PID 3280 created 4048	3280	Autoit3.exe	60
PID 2024 created 2552	2024	GoogleUpdateCore.exe	44

Executes dropped EXE 1 IoCs

pid	Process
3280	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfaafak = "\"C:\\ProgramData\\ddfaecc\\Autoit3.exe\" C:\\ProgramData\\ddfaecc\\bbbkadc.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfaafak = "\"C:\\ProgramData\\ddfaecc\\Autoit3.exe\" C:\\ProgramData\\ddfaecc\\bbbkadc.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
3280	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
3280	Autoit3.exe
2024	GoogleUpdateCore.exe
2024	GoogleUpdateCore.exe
2024	GoogleUpdateCore.exe
2024	GoogleUpdateCore.exe
856	GoogleUpdateCore.exe
856	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4496	WMIC.exe
Token: SeSecurityPrivilege	4496	WMIC.exe
Token: SeTakeOwnershipPrivilege	4496	WMIC.exe
Token: SeLoadDriverPrivilege	4496	WMIC.exe
Token: SeSystemProfilePrivilege	4496	WMIC.exe
Token: SeSystemtimePrivilege	4496	WMIC.exe
Token: SeProfSingleProcessPrivilege	4496	WMIC.exe
Token: SeIncBasePriorityPrivilege	4496	WMIC.exe
Token: SeCreatePagefilePrivilege	4496	WMIC.exe
Token: SeBackupPrivilege	4496	WMIC.exe
Token: SeRestorePrivilege	4496	WMIC.exe
Token: SeShutdownPrivilege	4496	WMIC.exe
Token: SeDebugPrivilege	4496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4496	WMIC.exe
Token: SeRemoteShutdownPrivilege	4496	WMIC.exe
Token: SeUndockPrivilege	4496	WMIC.exe
Token: SeManageVolumePrivilege	4496	WMIC.exe
Token: 33	4496	WMIC.exe
Token: 34	4496	WMIC.exe
Token: 35	4496	WMIC.exe
Token: 36	4496	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3280	4488	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	82
PID 4488 wrote to memory of 3280	4488	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	82
PID 4488 wrote to memory of 3280	4488	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	82
PID 3280 wrote to memory of 2288	3280	Autoit3.exe	83
PID 3280 wrote to memory of 2288	3280	Autoit3.exe	83
PID 3280 wrote to memory of 2288	3280	Autoit3.exe	83
PID 2288 wrote to memory of 4496	2288	cmd.exe	85
PID 2288 wrote to memory of 4496	2288	cmd.exe	85
PID 2288 wrote to memory of 4496	2288	cmd.exe	85
PID 3280 wrote to memory of 2024	3280	Autoit3.exe	90
PID 3280 wrote to memory of 2024	3280	Autoit3.exe	90
PID 3280 wrote to memory of 2024	3280	Autoit3.exe	90
PID 3280 wrote to memory of 2024	3280	Autoit3.exe	90
PID 2024 wrote to memory of 856	2024	GoogleUpdateCore.exe	91
PID 2024 wrote to memory of 856	2024	GoogleUpdateCore.exe	91
PID 2024 wrote to memory of 856	2024	GoogleUpdateCore.exe	91
PID 2024 wrote to memory of 856	2024	GoogleUpdateCore.exe	91

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2024

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
"C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4488
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3280
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ddfaecc\cdgdkee
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ddfaecc\cdgdkee

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\ddfaecc\heeabaa

Filesize
1KB

MD5
9246b2321762df00f8491ce499505033

SHA1
c5ee681c81806d18e76304668fcbaac2e543d9e1

SHA256
d514afadaeadd1a46eaaa5c7d1abd0c3fdc0fccfcb04a93df1da52cce64de061

SHA512
e9fdacda68ab93a16322e2a66d98bbcfcb8cfb57b460d604ff37489eacaa56ca5ca35a8bbe2bee46047110c6972450507df9a1897f4ae72a656a0deb10eb9c27

Download Submit
C:\Users\Admin\AppData\Roaming\HAEKCch

Filesize
32B

MD5
8e0d47b7cebd095a78491343f9c2e468

SHA1
c224bda3226933a50504891afeea91f73b45095d

SHA256
c224462ee7e3dcc944a40782c71e5ca69423c9159c92f7af7e3f3cc11d1b4cd9

SHA512
44f6c1bba50938f95b591be4ab10ec44933c096fb16757bab6bc6d7e1a897defcf52c4ae3b4c42d1bca645e41d13ef1185cb262209506102a1d6ad1a8a73b0e4

Download Submit
C:\temp\ekhcgdk

Filesize
4B

MD5
23401cc46e040d9413e7445497a8dad7

SHA1
b2a2e42c8eea35fd7840fb4fc16bfb00c270955a

SHA256
f30650f59c2e75fe8153c028f9af5d0691aa2ca17ad3457d3ed526c02d6f2e38

SHA512
1218d811998fc86da40482b5c4c4a02b836fb6436fc237a5ac6674716fa3116a3c3a654913900e834e1226dbf6fc804b69171dad8f760e38ea8cce5c1767f854

Download Submit
C:\temp\ekhcgdk

Filesize
4B

MD5
c217bdbc55efa729c6c1daf368cb7785

SHA1
33c96ba69418ef7bbf5bedc9789014d87505f8cc

SHA256
26128e2cf0afb1276705ad3e6570cfc87b05eca7ce91fea2d95c7acf49092b48

SHA512
e6041ef877037d08c1a0189d26314470efc22e3b58dbe1210a1e6f083edd1bc162c79b3fb918729321df96d290fde5648ef2f6da3058af3d06d8962571180717

Download Submit
C:\temp\ffcefha

Filesize
4B

MD5
343612f984926301c631e7088205effa

SHA1
117df7d34e3ef4843dc3e833ecaf66c59be229ca

SHA256
172659a1b8cc07151b5fe6b0b1235220ae628a31b10fa08ad8b3c794e500fe4a

SHA512
4e735095a0a4ce85b93cd14af823314d7c919a9f82c3ca33e63bac2128176bf11ce2581700ac6c5e2c316b35796200898ae61fae99049fc1a379d01b02eca6b2

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
582KB

MD5
28a5b7b44a0d1f67d125d5b768bc6398

SHA1
f26b962d6fa77dd96a50709c33fbe68025926158

SHA256
bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922

SHA512
ad8f3bc9bb49563922abbbd28a5dc17a79834f6d59de340d9e4f16e933838d1a23e381ea61c6c2c64980789afd6f662ce0f0d9346abac902c0f0c4635b61e46b

Download Submit
memory/856-37-0x00000000023E0000-0x0000000002B82000-memory.dmp

Filesize
7.6MB

Download
memory/2024-20-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-36-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-32-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-26-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-35-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-38-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-33-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/2024-34-0x0000000002E50000-0x00000000035F2000-memory.dmp

Filesize
7.6MB

Download
memory/3280-9-0x0000000004170000-0x00000000044C5000-memory.dmp

Filesize
3.3MB

Download
memory/3280-23-0x0000000004170000-0x00000000044C5000-memory.dmp

Filesize
3.3MB

Download
memory/3280-8-0x0000000000DD0000-0x00000000011D0000-memory.dmp

Filesize
4.0MB

Download
memory/4488-1-0x00000000028A0000-0x0000000002A1C000-memory.dmp

Filesize
1.5MB

Download
memory/4488-5-0x00000000028A0000-0x0000000002A1C000-memory.dmp

Filesize
1.5MB

Download