Managed XDR

backup-message-192.168.200.6_9045-29000.eml (DarkGate) — malware analysis report

File info

Filename
backup-message-192.168.200.6_9045-29000.eml
File type
RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
File size
10.6 MB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
a2265c8bd789cc4c49a1b797cbc0b2a37d04dd21
SHA256
565bec0d71b0731225042f544472041f6c84ade749cb3a2063acf451e3a6f01d
MD5
e4658de40347383619b4251d7b39e5d1

Malwares

  • DarkGate

Signatures

Execution

T1059 autoit: AutoIt script execution detected
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks
T1059.006 drops_python_dll: Drops python DLL

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox
T1518.001 antiav_detectfile: Attempts to detect installed antiviruses by a certain directory
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 process_interest: Enumerates processes
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

Other

yara_rules: Static rules
drops_interpreter: Creates interpreter binary file
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay

Related reports