File name:

Dark_drop_2_pers_lum_clean.exe.bin

Full analysis: https://app.any.run/tasks/02463f38-e112-45aa-8151-8bcc88293abe
Verdict: Malicious activity
Threats:

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Malware Trends Tracker     >>>
Analysis date: November 15, 2024, 17:57:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
xor-url
generic
darkgate
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

19888B7FE000D86BC63CF6A75A1E4C69

SHA1:

05CA780F0BA02D7B13D969560F02621EC94FF6CB

SHA256:

CC5C482229F5B9D1C88F6FF68ABB7461DE259749F6230932654BB5AAA3FDDD88

SSDEEP:

98304:X5KxJTSsRge4YKPmerMNvGY3rTvRF8r+f0l2XfbSNtwLfa5JhB4X2kN9hIadpGZX:f1QD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • Autoit3.exe (PID: 1576)

    • DARKGATE has been detected (YARA)

      • Autoit3.exe (PID: 1576)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Dark_drop_2_pers_lum_clean.exe.bin.exe (PID: 6772)
      • Autoit3.exe (PID: 1576)

    • Starts the AutoIt3 executable file

      • Dark_drop_2_pers_lum_clean.exe.bin.exe (PID: 6772)

    • The process verifies whether the antivirus software is installed

      • Autoit3.exe (PID: 1576)

    • Starts CMD.EXE for commands execution

      • Autoit3.exe (PID: 1576)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6324)

    • Accesses domain name via WMI (SCRIPT)

      • WMIC.exe (PID: 1768)

    • Connects to unusual port

      • Autoit3.exe (PID: 1576)

  • INFO

    • Reads mouse settings

      • Autoit3.exe (PID: 1576)

    • Checks supported languages

      • Dark_drop_2_pers_lum_clean.exe.bin.exe (PID: 6772)
      • Autoit3.exe (PID: 1576)

    • Reads Windows Product ID

      • Autoit3.exe (PID: 1576)

    • Reads the computer name

      • Autoit3.exe (PID: 1576)

    • Creates files or folders in the user directory

      • Autoit3.exe (PID: 1576)

    • Reads CPU info

      • Autoit3.exe (PID: 1576)

    • Creates files in the program directory

      • Autoit3.exe (PID: 1576)
      • cmd.exe (PID: 6324)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1576) Autoit3.exe
Decrypted-URLs (2)http://ipinfo.io/ip
https://mail.google.com/mail/u/0/#inbox
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:23 10:22:02+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 3059712
InitializedDataSize: 612864
UninitializedDataSize: -
EntryPoint: 0x1b1282
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.5.3.1
ProductVersionNumber: 2.5.3.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: TVU IPTV Player
CompanyName: TVU networks
FileDescription: TVUPlayer Component
InternalName: TVUPlayer
LegalCopyright: Copyright (C) 2006-2010 TVU networks. All rights reserved.
LegalTrademarks: TVU networks
OriginalFileName: TVUPlayer.exe
ProductName: TVUPlayer Module
FileVersion: 2.5.3.1
ProductVersion: 2.5.3.1
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dark_drop_2_pers_lum_clean.exe.bin.exe #XOR-URL autoit3.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs msbuild.exe

Process information

PID
CMD
Path
Indicators
Parent process
1576"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xC:\temp\test\Autoit3.exe
Dark_drop_2_pers_lum_clean.exe.bin.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 14, 5
Modules
Images
c:\temp\test\autoit3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
xor-url
(PID) Process(1576) Autoit3.exe
Decrypted-URLs (2)http://ipinfo.io/ip
https://mail.google.com/mail/u/0/#inbox
1768wmic ComputerSystem get domain C:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3832C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Autoit3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6324"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\faaedfb\hcfhabhC:\Windows\SysWOW64\cmd.exeAutoit3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6772"C:\Users\admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe" C:\Users\admin\AppData\Local\Temp\Dark_drop_2_pers_lum_clean.exe.bin.exe
explorer.exe
User:
admin
Company:
TVU networks
Integrity Level:
MEDIUM
Description:
TVUPlayer Component
Exit code:
0
Version:
2.5.3.1
Modules
Images
c:\users\admin\appdata\local\temp\dark_drop_2_pers_lum_clean.exe.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
877
Read events
802
Write events
75
Delete events
0

Modification events

(PID) Process:(1576) Autoit3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:eafbcch
Value:
"C:\ProgramData\faaedfb\Autoit3.exe" C:\ProgramData\faaedfb\hackgdc.a3x
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6772Dark_drop_2_pers_lum_clean.exe.bin.exeC:\temp\test\script.a3xbinary
MD5:B06F6DEE405E7EDBDB66A38C8F466F40
SHA256:22BBC7AEE06585F281643CCCFC6F80C360F2EC27E70A300C578E5A8F4BDB2DF1
1576Autoit3.exeC:\temp\gkadhactext
MD5:FB701C7C1951E10868C453C68C142E14
SHA256:87D2C4AE9E110CB6DDB787C37DB3D7CC0D1089DF6F257B1F426744F1EF98CDC1
1576Autoit3.exeC:\ProgramData\faaedfb\hackgdc.a3xbinary
MD5:B06F6DEE405E7EDBDB66A38C8F466F40
SHA256:22BBC7AEE06585F281643CCCFC6F80C360F2EC27E70A300C578E5A8F4BDB2DF1
6772Dark_drop_2_pers_lum_clean.exe.bin.exeC:\temp\test\Autoit3.exeexecutable
MD5:C56B5F0201A3B3DE53E561FE76912BFD
SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
6324cmd.exeC:\ProgramData\faaedfb\hcfhabhtext
MD5:C8BBAD190EAAA9755C8DFB1573984D81
SHA256:7F136265128B7175FB67024A6DDD7524586B025725A878C07D76A9D8AD3DC2AC
1576Autoit3.exeC:\ProgramData\faaedfb\Autoit3.exeexecutable
MD5:C56B5F0201A3B3DE53E561FE76912BFD
SHA256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
1576Autoit3.exeC:\Users\admin\AppData\Roaming\AHdAGhhtext
MD5:B26B0CAB0F02E3433B6570E395D47CCD
SHA256:15A19DEE4269958124F57C2A9CDB03D1260EB1106977148035C1BB9F8595DCBB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
48
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7024
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5756
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5756
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3792
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5488
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.189
  • 2.23.209.140
  • 2.23.209.150
  • 2.23.209.148
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.160
  • 2.23.209.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.250.181.238
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.23
whitelisted
th.bing.com
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.158
  • 2.23.209.177
  • 2.23.209.189
  • 2.23.209.176
  • 2.23.209.133
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
hard-to-find.cyou
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Dark_drop_2_pers_lum_clean.exe.bin