darkgate | 0a0fb9fe1cf34cd8fc6caa01d70849dee3d38f106cd1dfd69657051cf74c320e | Triage

Submit
Reports

Overview

overview

Static

static

1

scanned_do...7.xlsx

windows10-1703-x64

Sharing

General

Target

waf9d.zip
Size

53KB
Sample

240227-sbzknscc4y
MD5

ee42338afb998d2e4538a7c2b6ba5f8d
SHA1

5b2490d360615a4da06a220c56b6ef99113602e1
SHA256

0a0fb9fe1cf34cd8fc6caa01d70849dee3d38f106cd1dfd69657051cf74c320e
SHA512

f59fcebfbcdf50cc3a862c0795b89cd376acc5ce3016a3c4c37ece3d016c023e06314aa9be7786d51d39bba550466cd3f55e651180a9011ab05176f8bc253240
SSDEEP

1536:1OnTrX6faUp9jGK6zq69TIyfNTKNmN7TjjJ5Btue9247SJCn419:1OnnXXUp9GK6zh9vf9KkFRZueM47SJCC

Score

10^/10

darkgate admin888 persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

scanned_doc#2024-27-2_5747.xlsx

Resource

win10-20240221-en

darkgate admin888 persistence spyware stealer

windows10-1703-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

remasterprodelherskjs.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
PAuTCBnH
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Targets

- Target
  
  scanned_doc#2024-27-2_5747.xlsx
- Size
  
  55KB
- MD5
  
  66658e42a106a416a36399aa525f1977
- SHA1
  
  9229786a060fc867777e16ff20ebd3afe7b6867a
- SHA256
  
  aa03bd94063f4e5e1275b28193cccc6302117c4801d278d9131394acb62fe09d
- SHA512
  
  8d2a18eb3d5133fd43f50e80f1fe7a31da7b41fc38b2375879efb0c7f335534ab4952562f0bb923a59239fc35c17cea0be6461e1f83deeafb46371793b205197
- SSDEEP
  
  1536:p/ToOEjzAw7Y2r7DUsV4XzY9t3jSagJYwehu:BoOAcw7nXDUsOjm3jTxhu
Score

10^/10

darkgate admin888 persistence spyware stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkgateadmin888persistencespywarestealer

© 2018-2025

Terms | Privacy