darkgate | 07193b01c5787e5b105cf683dea272f98cd9d049a6d15309c1c1470af29f7775

Resubmissions

20-01-2025 10:46

250120-mvfzsavrfl 10

20-01-2025 10:44

250120-msy3ksvpav 10

Analysis

max time kernel
135s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
Size

3.0MB
MD5

23bf3de50090db1ed82a2def00c5ffb7
SHA1

0fdb26c6202acb33eea938da1a492504035ff8c1
SHA256

4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4
SHA512

d3e76bac82a243f953cb325b56ab37ac7297571caf82045adcec92b6918ed3a6d775d7838328cdeec72b7178180c0aea98a9a4f5ac1c97d2d66de07af6038553
SSDEEP

49152:539fvhv48oM1tSkH+mO5MnkPSf+WE3X4izV4olmSFYH0upWbnGDVBe1AGLZ3yZDY:dpZRdUOkPYE35V4olmSFYUupW6ezLZ3N

Score

10^/10

darkgate drk2 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk2

179.60.149.194

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
rsFxMyDX
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk2

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 11 IoCs

resource	yara_rule
behavioral1/memory/1996-10-0x00000000043D0000-0x0000000004725000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-22-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1996-23-0x00000000043D0000-0x0000000004725000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-26-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-33-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-34-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-36-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-35-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-32-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6
behavioral1/memory/1904-37-0x0000000002CD0000-0x0000000003472000-memory.dmp	family_darkgate_v6
behavioral1/memory/5072-38-0x0000000003020000-0x00000000037C2000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1996 created 2680	1996	Autoit3.exe	52
PID 5072 created 3728	5072	GoogleUpdateCore.exe	58

Executes dropped EXE 1 IoCs

pid	Process
1996	Autoit3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeadkk = "\"C:\\ProgramData\\kccgfdh\\Autoit3.exe\" C:\\ProgramData\\kccgfdh\\afhdedc.a3x"	GoogleUpdateCore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deeadkk = "\"C:\\ProgramData\\kccgfdh\\Autoit3.exe\" C:\\ProgramData\\kccgfdh\\afhdedc.a3x"	GoogleUpdateCore.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
1996	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GoogleUpdateCore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1996	Autoit3.exe
1996	Autoit3.exe
1996	Autoit3.exe
1996	Autoit3.exe
5072	GoogleUpdateCore.exe
5072	GoogleUpdateCore.exe
5072	GoogleUpdateCore.exe
5072	GoogleUpdateCore.exe
1904	GoogleUpdateCore.exe
1904	GoogleUpdateCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5072	GoogleUpdateCore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4864	WMIC.exe
Token: SeSecurityPrivilege	4864	WMIC.exe
Token: SeTakeOwnershipPrivilege	4864	WMIC.exe
Token: SeLoadDriverPrivilege	4864	WMIC.exe
Token: SeSystemProfilePrivilege	4864	WMIC.exe
Token: SeSystemtimePrivilege	4864	WMIC.exe
Token: SeProfSingleProcessPrivilege	4864	WMIC.exe
Token: SeIncBasePriorityPrivilege	4864	WMIC.exe
Token: SeCreatePagefilePrivilege	4864	WMIC.exe
Token: SeBackupPrivilege	4864	WMIC.exe
Token: SeRestorePrivilege	4864	WMIC.exe
Token: SeShutdownPrivilege	4864	WMIC.exe
Token: SeDebugPrivilege	4864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4864	WMIC.exe
Token: SeRemoteShutdownPrivilege	4864	WMIC.exe
Token: SeUndockPrivilege	4864	WMIC.exe
Token: SeManageVolumePrivilege	4864	WMIC.exe
Token: 33	4864	WMIC.exe
Token: 34	4864	WMIC.exe
Token: 35	4864	WMIC.exe
Token: 36	4864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4864	WMIC.exe
Token: SeSecurityPrivilege	4864	WMIC.exe
Token: SeTakeOwnershipPrivilege	4864	WMIC.exe
Token: SeLoadDriverPrivilege	4864	WMIC.exe
Token: SeSystemProfilePrivilege	4864	WMIC.exe
Token: SeSystemtimePrivilege	4864	WMIC.exe
Token: SeProfSingleProcessPrivilege	4864	WMIC.exe
Token: SeIncBasePriorityPrivilege	4864	WMIC.exe
Token: SeCreatePagefilePrivilege	4864	WMIC.exe
Token: SeBackupPrivilege	4864	WMIC.exe
Token: SeRestorePrivilege	4864	WMIC.exe
Token: SeShutdownPrivilege	4864	WMIC.exe
Token: SeDebugPrivilege	4864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4864	WMIC.exe
Token: SeRemoteShutdownPrivilege	4864	WMIC.exe
Token: SeUndockPrivilege	4864	WMIC.exe
Token: SeManageVolumePrivilege	4864	WMIC.exe
Token: 33	4864	WMIC.exe
Token: 34	4864	WMIC.exe
Token: 35	4864	WMIC.exe
Token: 36	4864	WMIC.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1996	1116	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	90
PID 1116 wrote to memory of 1996	1116	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	90
PID 1116 wrote to memory of 1996	1116	4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe	90
PID 1996 wrote to memory of 1104	1996	Autoit3.exe	94
PID 1996 wrote to memory of 1104	1996	Autoit3.exe	94
PID 1996 wrote to memory of 1104	1996	Autoit3.exe	94
PID 1104 wrote to memory of 4864	1104	cmd.exe	96
PID 1104 wrote to memory of 4864	1104	cmd.exe	96
PID 1104 wrote to memory of 4864	1104	cmd.exe	96
PID 1996 wrote to memory of 5072	1996	Autoit3.exe	98
PID 1996 wrote to memory of 5072	1996	Autoit3.exe	98
PID 1996 wrote to memory of 5072	1996	Autoit3.exe	98
PID 1996 wrote to memory of 5072	1996	Autoit3.exe	98
PID 5072 wrote to memory of 1904	5072	GoogleUpdateCore.exe	99
PID 5072 wrote to memory of 1904	5072	GoogleUpdateCore.exe	99
PID 5072 wrote to memory of 1904	5072	GoogleUpdateCore.exe	99
PID 5072 wrote to memory of 1904	5072	GoogleUpdateCore.exe	99

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:5072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728
- C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1904

C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe
"C:\Users\Admin\AppData\Local\Temp\4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- \??\c:\temp\test\Autoit3.exe
  "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1996
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kccgfdh\fahfabd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kccgfdh\aebdhhf

Filesize
1KB

MD5
b9ca09e7ae36a43ab5dd6c258b217615

SHA1
d0a0c0a53144f7bd7e5419b6c139e2026757a7fa

SHA256
776aebdab60f452bdf7d276a4970397d5b6859abdf2e08ccf5c95f318d170f77

SHA512
abbcfcf715d37ecbdf949ec74f124e46f8ad139f1200e8d106d7fbecdff67a4fd3c50dc05f00eb9ae7cce466c6cb91e771cab05bf9acf6a65ee54ca31583a845

Download Submit
C:\ProgramData\kccgfdh\fahfabd

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Roaming\DHBahED

Filesize
32B

MD5
7b4a9224796855b1e7818cfac0590ae4

SHA1
24035165d0a54da7213ec37a3c072e89238f03bf

SHA256
30e5474f507e86b3a175454f3fd65ae37a3cb670109da8ce282f5b4c11d19be5

SHA512
926a7fd835ede5d65ff4ace8c56720b7a1a465c1ab84a5449378cd4e6e423a3f64f0b8f802b0808b670cd28809ab7e41fcd284ad65419393929c8539a7857cc4

Download Submit
C:\temp\ccecaba

Filesize
4B

MD5
f16af9b1af40306ca3d45c1bd14fd0c2

SHA1
3c624d3174189e81465cc8b877b727160f15b935

SHA256
04b83c107219ed2451768d6f1164a2bdc9386c7e73ff8a059b1fb7ddce20dba5

SHA512
fc6e982ca7facdfac1df654ba1bf773a44f6f9abf127467bd16e42cdd60583352b27951be54e300347309ba2de4a6a2d5f42a475dfe80ab8c1f22ea859707244

Download Submit
C:\temp\cfhddca

Filesize
4B

MD5
f987a0c5d4c5854ab075852a62006ecd

SHA1
82f08834d27c514c7bf24013b0ae3ea8da59af4a

SHA256
de09c43ea4dc52bea3a5915eba4e3d41551ed2380f009ae4ab0620f25878329e

SHA512
bc9222bab916fd20cd39f66472e9a6771484460e44d8bc68503599b9ab364fc03167a7ed574b225cf0047f2a4f2c50ec88346c6363614732c72f372b041b4d7a

Download Submit
C:\temp\cfhddca

Filesize
4B

MD5
d08e263115380ccacff95ad28a5870eb

SHA1
85a3264451d0250ee27edd7da8ba958cd4d4c3fc

SHA256
d4bc98d57c9f001a13a5cc2b33ea2ff380173e9e4d646c3cbc3b2053df0aed98

SHA512
09a96f07d44d7f31a974d983e1dd3c3cb12fe8f6f9e24417bfb0478dc14f16600113d63dd5580d5e2b21813731a2003248424fe69126b41e6285e5328fd960e3

Download Submit
C:\temp\test\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\test\script.a3x

Filesize
582KB

MD5
28a5b7b44a0d1f67d125d5b768bc6398

SHA1
f26b962d6fa77dd96a50709c33fbe68025926158

SHA256
bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922

SHA512
ad8f3bc9bb49563922abbbd28a5dc17a79834f6d59de340d9e4f16e933838d1a23e381ea61c6c2c64980789afd6f662ce0f0d9346abac902c0f0c4635b61e46b

Download Submit
memory/1116-6-0x0000000002850000-0x00000000029CC000-memory.dmp

Filesize
1.5MB

Download
memory/1116-1-0x0000000002850000-0x00000000029CC000-memory.dmp

Filesize
1.5MB

Download
memory/1904-37-0x0000000002CD0000-0x0000000003472000-memory.dmp

Filesize
7.6MB

Download
memory/1996-23-0x00000000043D0000-0x0000000004725000-memory.dmp

Filesize
3.3MB

Download
memory/1996-10-0x00000000043D0000-0x0000000004725000-memory.dmp

Filesize
3.3MB

Download
memory/1996-8-0x00000000011B0000-0x00000000015B0000-memory.dmp

Filesize
4.0MB

Download
memory/5072-22-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-26-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-33-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-34-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-36-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-35-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-32-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download
memory/5072-38-0x0000000003020000-0x00000000037C2000-memory.dmp

Filesize
7.6MB

Download