darkgate | ab10d6a94cfc9f50a933fd3d1b3b520a050b9aa608e8c41fd756a6e748fc2f08

General

Target

iTunesHelper.exe
Size

358KB
MD5

ed6a1c72a75dee15a6fa75873cd64975
SHA1

67a15ca72e3156f8be6c46391e184087e47f4a0d
SHA256

0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512

256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
SSDEEP

6144:TjZtNtzxEFQVLEhZbblN4W6ZDNFfEai23+FM2+zIv+98vS:ZRxMQLEhZXybF8Ut4o8a

Score

10^/10

darkgate admin888 discovery execution stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

prodomainnameeforappru.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WeBiMyRU
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/2296-11-0x0000000005440000-0x000000000579B000-memory.dmp	family_darkgate_v6
behavioral2/memory/2296-14-0x0000000005440000-0x000000000579B000-memory.dmp	family_darkgate_v6

Command and Scripting Interpreter: AutoIT 1 TTPs 2 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2296	Autoit3.exe
2748	Autoit3.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	Autoit3.exe
2748	Autoit3.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2296	2792	iTunesHelper.exe	82
PID 2792 wrote to memory of 2296	2792	iTunesHelper.exe	82
PID 2792 wrote to memory of 2296	2792	iTunesHelper.exe	82
PID 1376 wrote to memory of 2748	1376	iTunesHelper.exe	101
PID 1376 wrote to memory of 2748	1376	iTunesHelper.exe	101
PID 1376 wrote to memory of 2748	1376	iTunesHelper.exe	101

C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe
"C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- \??\c:\temp\Autoit3.exe
  "c:\temp\Autoit3.exe" c:\temp\script.a3x
  2⤵
  - Command and Scripting Interpreter: AutoIT
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe
"C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- \??\c:\temp\Autoit3.exe
  "c:\temp\Autoit3.exe" c:\temp\script.a3x
  2⤵
  - Command and Scripting Interpreter: AutoIT
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AutoHotKey & AutoIT

1

T1059.010

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AbBEEaa

Filesize
32B

MD5
788bdda33c8887645e07e7f5cfdd5235

SHA1
8aad7e56b0d5c509b3448180842300624d807a58

SHA256
a0f6cf4599168455cd0f71cde473f4e5bc33abf530625b675e04b50a99b6a52f

SHA512
27a568d86fffe9f1c4f07843dc68bda5e483632e22d3ef82e86351470951eb05985d9bc0b4382d63300682ea677fa0c7fd04033a2d16654e7e304dc885c7634b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.a3x

Filesize
474KB

MD5
6354b28ac4bc8fa465d80c3ea3893116

SHA1
0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

SHA256
9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

SHA512
6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
45306f5622da212035662680f1c09e0e

SHA1
a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

SHA256
2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

SHA512
99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

Download Submit
memory/1376-26-0x000000006DA60000-0x000000006DE08000-memory.dmp

Filesize
3.7MB

Download
memory/2296-10-0x0000000003F50000-0x0000000004F20000-memory.dmp

Filesize
15.8MB

Download
memory/2296-11-0x0000000005440000-0x000000000579B000-memory.dmp

Filesize
3.4MB

Download
memory/2296-14-0x0000000005440000-0x000000000579B000-memory.dmp

Filesize
3.4MB

Download
memory/2792-0-0x000002AC3D280000-0x000002AC3D420000-memory.dmp

Filesize
1.6MB

Download
memory/2792-13-0x000002AC3D280000-0x000002AC3D420000-memory.dmp

Filesize
1.6MB

Download
memory/2792-12-0x000000006DA60000-0x000000006DE08000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing