2023-11-30-IOCs-for-DarkGate-activity.txt

2023-11-30 (THURSDAY): DARKGATE ACTIVITY

REFERENCES:

- https://www.linkedin.com/posts/unit42_darkgate-timelythreatintel-malwaretraffic-activity-7136107640379637760-F4OH
- https://twitter.com/Unit42_Intel/status/1730342021628400092

INITIAL REFERENCE:

- https://www.virustotal.com/gui/file/7156fe159f4f8b13cceb42bcc66972cc6feeced13b34211a3c6b4ba8ead15257

NOTES:

- Unknown distribution method, possibly through Microsoft Teams similar to an example we previously noted at:
  -- https://www.linkedin.com/posts/unit42_darkgate-timelythreatintelligence-threatintel-activity-7118377814826905600-idoc
  -- https://twitter.com/Unit42_Intel/status/1712612195651998098

ASSOCIATED MALWARE AND ARTIFACTS:

- SHA256 hash: 7156fe159f4f8b13cceb42bcc66972cc6feeced13b34211a3c6b4ba8ead15257
- File size: 3,458 bytes
- File name: JobOfferAndCompanyOverview.zip
- File description: Password-protected zip archive
- Password: job2023

CONTENTS OF ZIP ARCHIVE:

- SHA256 hash: 94b0ae2811286865d060c53ee1141d08d19ac72175bc974b261d3cbe66727e95
- File size: 616,420 bytes
- File name: Company Overview. Information about our client their values culture and mission.pdf.lnk
- File name: Detailed description of the job offer November 2023.pdf.lnk
- File description: Windows shortcuts extracted from the above zip archive

FILE RETRIEVED AND RUN BY THE ABOVE .LNK FILES:

- SHA256 hash: 06ad0a15ad23f80816d9388624a14712df3598f856a2360912dd98680374dbda
- File size: 55,705 bytes
- File location: hxxp://185.123.53[.]208/lightshot.hta

FILES RETREIVED BY THE ABOVE .HTA FILE:

- SHA256 hash: 0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51
- File size: 499,624 bytes
- File location: hxxp://185.123.53[.]208/lightshot.exe
- File description: Legitimate EXE for Lightshot, not malicious

- SHA256 hash: 6866488e8882873a60d2d94e3eb224ab005a5b9e9053146d2b6601b520673929
- File size: 2,843,648 bytes
- File location: hxxp://185.123.53[.]208/lightshot.dll
- File description: Malicious DLL loaded by lightshot.exe (DLL side loading)

COPY OF AUTOIT3.EXE GENERATED BY THE ABOVE DLL:

- SHA256 hash: 64bc6210dec442292df50dd58b8f7aaa6fcd49931cbb90609f439b86c527d343
- File size: 893,608
- File name: autoit3.exe
- File description: Windows EXE for AutoIT v3 version 3.3.14.5, a legitimate file

MALICIOUS .AU3 FILE GENERATED BY THE ABOVE .DLL:

- SHA256 hash: 1744c6621eeb65626f1d0c99ffcb11b61d61e1f1747e4e8310e3e0d921056bb1
- File size: 504,152 bytes
- File location: C:\tmpp\test.au3
- File location: C:\temp\hhcdeea.au3
- File description: Autoit3 script file with embedded, XOR-encoded EXE
- XOR string used to encode embedded EXE: GVeRFliI

- SHA256 hash: 8436267fc6f1e27c466b659c6fead99c763679d4f92b20d551f03af54d161e08
- File size: 513,252 bytes
- File location: C:\ProgramData\dbahehh\hhcdeea.au3
- File description: Autoit3 script file with embedded, XOR-encoded EXE
- XOR string used to encode embedded EXE: FliIGVeR

DECODED EXE FROM ABOVE .AU3 FILES:

- SHA256 hash: ad49d1f80cf05416c389106d99808665008fcde3feccab8574f2167a3e1334ed
- File size: 414,720 bytes
- File type: PE32 executable (GUI) Intel 80386, for MS Windows

INFECTION TRAFFIC:

TRAFFIC CAUSED BY WINDOWS SHORTCUT:

- 185.123.53[.]208 port 80 - 185.123.53[.]208 - GET /lightshot.hta

TRAFFIC CAUSED BY ABOVE HTA:

- 185.123.53[.]208 port 80 - 185.123.53[.]208 - GET /Lightshot.exe
- 185.123.53[.]208 port 80 - 185.123.53[.]208 - GET /Lightshot.dll

DARKGATE C2:

- 158.160.77[.]234 port 80 - trans1ategooglecom[.]com - POST / HTTP/1.0 
- 158.160.77[.]234 port 8080 - attempted TCP connections, RST from server
- 64.190.113[.]222 port 8080 - saintelzearlava[.]com - attempted TCP connections, RST from server