General
-
Target
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe.exe
-
Size
4.4MB
-
Sample
250213-kk2sdsvrdn
-
MD5
d3de9b47f8ff4f23db2668f8ee287139
-
SHA1
1364d4a5afcaf3ebb147e0ff828028967800dbe3
-
SHA256
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
-
SHA512
f6b4a2c922c007f91730eadf54b571107168977e79e31a902153fe553a9b2b4883aba44dbc149dbe4274cca4221cb6d53e8d75368818016e50eebbb6d920cf50
-
SSDEEP
49152:5R/KpmZubPf2S8W2ILeWl+C1p9jWy5S2d0eigXulQVvZxxgHHG8ekWeGMEOy24zI:H/jtYLP1Sy5F0AGGgVyLzKlf
Malware Config
Extracted
darkgate
traf777
66.42.96.199
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
BrgntNGq
-
minimum_disk
100
-
minimum_ram
4096
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
traf777
Targets
-
-
Target
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe.exe
-
Size
4.4MB
-
MD5
d3de9b47f8ff4f23db2668f8ee287139
-
SHA1
1364d4a5afcaf3ebb147e0ff828028967800dbe3
-
SHA256
e92f111b8aa01289f72c66585219861e0117c9939de56741cbb234fee55536fe
-
SHA512
f6b4a2c922c007f91730eadf54b571107168977e79e31a902153fe553a9b2b4883aba44dbc149dbe4274cca4221cb6d53e8d75368818016e50eebbb6d920cf50
-
SSDEEP
49152:5R/KpmZubPf2S8W2ILeWl+C1p9jWy5S2d0eigXulQVvZxxgHHG8ekWeGMEOy24zI:H/jtYLP1Sy5F0AGGgVyLzKlf
Score10/10-
DarkGate
DarkGate is an infostealer written in C++.
-
Darkgate family
-
Detect DarkGate stealer
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Command and Scripting Interpreter: AutoIT
Using AutoIT for possible automate script.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1