File name:

Tax_Document.pdf.zip

Full analysis: https://app.any.run/tasks/7040c2d7-d98f-4559-8ea4-3f35de55a04c
Verdict: Malicious activity
Threats:

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Malware Trends Tracker     >>>
Analysis date: April 26, 2024, 13:11:50
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
darkgate
loader
ta577
apt
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

2DD1A7C3A1E315E310CE0A8AF9E57AFB

SHA1:

38092153924993101933D60A33394260F20468CE

SHA256:

06E916AB0DCF4F5F0DD637BFFB2DB12E22D1A5A9FC511066A42A58A8FC486290

SSDEEP:

196608:BqHRPEjquyoqGO+q7LKjPZzvoTqSdgdttqv3:BMxSO+q7LKjPZzvOd6t83

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKGATE has been detected (YARA)

      • Tax_Document.pdf.exe (PID: 2168)

    • DARKGATE has been detected (SURICATA)

      • Tax_Document.pdf.exe (PID: 2168)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4988)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • Tax_Document.pdf.exe (PID: 2104)

    • Application launched itself

      • Tax_Document.pdf.exe (PID: 2104)

    • The process verifies whether the antivirus software is installed

      • Tax_Document.pdf.exe (PID: 2168)

    • Starts CMD.EXE for commands execution

      • Tax_Document.pdf.exe (PID: 2104)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2388)

    • Connects to the server without a host name

      • Tax_Document.pdf.exe (PID: 2168)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2852)

    • Reads product name

      • Tax_Document.pdf.exe (PID: 2168)

    • Checks supported languages

      • Tax_Document.pdf.exe (PID: 2104)
      • Tax_Document.pdf.exe (PID: 2168)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2852)

    • Reads Environment values

      • Tax_Document.pdf.exe (PID: 2104)
      • Tax_Document.pdf.exe (PID: 2168)

    • Manual execution by a user

      • Tax_Document.pdf.exe (PID: 2104)

    • Reads the computer name

      • Tax_Document.pdf.exe (PID: 2104)
      • Tax_Document.pdf.exe (PID: 2168)

    • Create files in a temporary directory

      • Tax_Document.pdf.exe (PID: 2104)

    • Creates files or folders in the user directory

      • Tax_Document.pdf.exe (PID: 2104)
      • Tax_Document.pdf.exe (PID: 2168)

    • Reads CPU info

      • Tax_Document.pdf.exe (PID: 2168)

    • Reads Windows Product ID

      • Tax_Document.pdf.exe (PID: 2168)

    • Creates files in the program directory

      • Tax_Document.pdf.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:04:24 18:43:38
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Tax_Document.pdf/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs tax_document.pdf.exe no specs #DARKGATE tax_document.pdf.exe cmd.exe no specs conhost.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2104"C:\Users\admin\Desktop\Tax_Document.pdf\Tax_Document.pdf.exe" C:\Users\admin\Desktop\Tax_Document.pdf\Tax_Document.pdf.exeexplorer.exe
User:
admin
Company:
Handy Software
Integrity Level:
MEDIUM
Description:
Handy Viewer
Exit code:
0
Version:
2.3.0.0
Modules
Images
c:\users\admin\desktop\tax_document.pdf\tax_document.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2168"C:\Users\admin\Desktop\Tax_Document.pdf\Tax_Document.pdf.exe"C:\Users\admin\Desktop\Tax_Document.pdf\Tax_Document.pdf.exe
Tax_Document.pdf.exe
User:
admin
Company:
Handy Software
Integrity Level:
MEDIUM
Description:
Handy Viewer
Version:
2.3.0.0
Modules
Images
c:\users\admin\desktop\tax_document.pdf\tax_document.pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2388cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f & exitC:\Windows\SysWOW64\cmd.exeTax_Document.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2852"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Tax_Document.pdf.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4988reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*SentinelOne" /t REG_SZ /d "rundll32.exe C:\Users\admin\AppData\Roaming\SentinelOne.dll",EntryPoint /f C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
5824\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
6112C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
Total events
8 336
Read events
8 312
Write events
24
Delete events
0

Modification events

(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B05006B90E156DB97DA01
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Tax_Document.pdf.zip
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(2852) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF82000000820000004204000065020000
Executable files
2
Suspicious files
6
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2104Tax_Document.pdf.exeC:\Users\admin\AppData\Roaming\SentinelOne.dll
MD5:
SHA256:
2852WinRAR.exeC:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DATbinary
MD5:F7B692C116FA99B49E86F82F406F3FFC
SHA256:E40ECC67350664BD1B41BEFED15344723461DC429EA8999A7EB1201D35033521
2852WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2852.44074\Tax_Document.pdf\ielang32.dllexecutable
MD5:647F308409CFD66101DAEE8C55629B85
SHA256:676C368EA2F76F770E15D891BD2D7756C8471792D73E91F7D0B619CA8C6D6A3E
2852WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2852.44074\Tax_Document.pdf\Tax_Document.pdf.exeexecutable
MD5:04B527CA1B634EE5ED0CAD4AB6DDD407
SHA256:B54C8E984DBFED0BB80A5FDFF2637A2E56A146F85A2712C29BEF509D088CEB69
2168Tax_Document.pdf.exeC:\Users\admin\AppData\Roaming\CFKfBKftext
MD5:27CCB771321A0AABA30934AD4A795D94
SHA256:95F8E4AE59DE4F169B0EEC7BEFC1BDC87E84D5DD686A2129C218E7CCFB2D2C79
2168Tax_Document.pdf.exeC:\temp\cfdbdgftext
MD5:CD073A4AAF6A72523577B029343590BA
SHA256:F7B315B67A6B16A2220B4DC8C33E1B0BD1DDA2DF03D0E1C88EA371C2E1401047
2104Tax_Document.pdf.exeC:\Users\admin\AppData\Local\Temp\ILIST-37B55715.tmpbinary
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
2104Tax_Document.pdf.exeC:\Users\admin\AppData\Local\Temp\ICACHE-5DB923CC.tmpbinary
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
2104Tax_Document.pdf.exeC:\Users\admin\AppData\Local\Temp\ICACHE-367F5837.tmpbinary
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
2104Tax_Document.pdf.exeC:\Users\admin\AppData\Local\Temp\ILIST-5E033328.tmpbinary
MD5:EC87A838931D4D5D2E94A04644788A55
SHA256:8A39D2ABD3999AB73C34DB2476849CDDF303CE389B35826850F9A700589B4A90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
135
TCP/UDP connections
148
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1332
svchost.exe
GET
200
2.16.164.99:80
http://www.msftconnecttest.com/connecttest.txt
unknown
unknown
4600
smartscreen.exe
GET
200
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4280be65fc6acc79
unknown
unknown
4600
smartscreen.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
3984
svchost.exe
GET
304
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0097c55f0cf5ccda
unknown
unknown
3984
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1088
svchost.exe
POST
302
23.43.62.58:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
302
23.43.62.58:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
302
23.43.62.58:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1088
svchost.exe
POST
138.91.171.81:80
http://dmd.metaservices.microsoft.com/metadata.svc
unknown
unknown
2168
Tax_Document.pdf.exe
POST
200
185.196.220.195:80
http://185.196.220.195/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4552
svchost.exe
239.255.255.250:1900
unknown
1332
svchost.exe
2.16.164.42:80
Akamai International B.V.
NL
unknown
4600
smartscreen.exe
20.103.180.120:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4600
smartscreen.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
4
System
192.168.100.255:137
whitelisted
1332
svchost.exe
2.16.164.99:80
Akamai International B.V.
NL
unknown
3984
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3984
svchost.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
4600
smartscreen.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3984
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
checkappexec.microsoft.com
  • 20.103.180.120
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.210
  • 173.222.108.147
  • 88.221.110.91
  • 2.16.100.168
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.2
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
v10.events.data.microsoft.com
  • 13.89.179.9
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
go.microsoft.com
  • 23.43.62.58
whitelisted
dmd.metaservices.microsoft.com
  • 138.91.171.81
whitelisted
fs.microsoft.com
  • 23.43.61.160
whitelisted

Threats

PID
Process
Class
Message
1332
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
2168
Tax_Document.pdf.exe
Malware Command and Control Activity Detected
LOADER [ANY.RUN] DarkGate HTTP POST Activity (TA577)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Tax_Document.pdf.zip