Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-01-2025 04:16
General
-
Target
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe
-
Size
4.1MB
-
MD5
998cd2e474751b5de344562b4ddb39e2
-
SHA1
70ee02a76510b0757e3b26ffd98834f0d259f9d4
-
SHA256
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
-
SHA512
e69e703c79e9c151245cef8caaa18b30fc2992c72e98b2e197239eb439837ee3c5d446e99f117f4aec0dc56527fd943949e62bbaadd43e123d83d53ad09f43e7
-
SSDEEP
49152:gR/KpmZubPf2S8W2ILeWl+C1pNjWy5Snd0eigXNG/2KyT0aXgkKdOcUP6CVjyusJ:G/jtYLP16y5E04Za1UP6mod
Malware Config
Extracted
darkgate
user1
155.138.149.77
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
sDcGdADE
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
user1
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Darkgate family
-
Detect DarkGate stealer 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe"C:\Users\Admin\AppData\Local\Temp\6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\temp\test\Autoit3.exe"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x2⤵
- Executes dropped EXE
- Command and Scripting Interpreter: AutoIT
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmd.exe"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdffbaa\agahdda3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get domain4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5c8bbad190eaaa9755c8dfb1573984d81
SHA117ad91294403223fde66f687450545a2bad72af5
SHA2567f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac
SHA51205f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
584KB
MD5b94c5e38bbf4b6ef11e0442ce58c3131
SHA100b5a444bc5e52f7dd9753383317eb2497ec4b38
SHA256037e15b09413722b48802e6268848d0698b9ed468cd447b40e31efa5cdb3c313
SHA512546c148fafd8298f79bf0b02c707ab88f5e15b099903ed725d11df6345f2a73121bb385e5e094a8ef2a165284a760c104cd03b25804cc55b11a6f22b64a90914
-
Filesize
30.1MB
-
Filesize
30.1MB
-
Filesize
4.1MB
-
Filesize
4.0MB
-
Filesize
3.3MB
-
Filesize
3.3MB