darkgate | 1a147476f428a3e54505880bb38adb56b8b7dcf8e5d0d0312204396c41b81a1c | Triage

Submit
Reports

Overview

overview

Static

static

1

scanned_do...5.xlsx

windows11-21h2-x64

Sharing

General

Target

scanned_doc#2024-27-2_4065.xlsx
Size

55KB
Sample

240227-sl8lbsce7v
MD5

c8d22d559dacad7baca08452fcc1d577
SHA1

bb284b30a3d39019e4da6ec6d0d76a9bd0b879a7
SHA256

1a147476f428a3e54505880bb38adb56b8b7dcf8e5d0d0312204396c41b81a1c
SHA512

86fcca800930fd2f72d36d00b6695dda43966a2b26a1c86d5aa35a1d9e27927ff266bb5bb09e7fd46b5428fb5054f623f049ed7005b8d82055e5af71c86c4355
SSDEEP

1536:p/ToOEjzAw7Y2r7DUsV4XzY9t3jSagJYwehV:BoOAcw7nXDUsOjm3jTxhV

Score

10^/10

darkgate admin888 persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

scanned_doc#2024-27-2_4065.xlsx

Resource

win11-20240221-en

darkgate admin888 persistence stealer

windows11-21h2-x64

18 signatures

1200 seconds

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

remasterprodelherskjs.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
PAuTCBnH
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Targets

- Target
  
  scanned_doc#2024-27-2_4065.xlsx
- Size
  
  55KB
- MD5
  
  c8d22d559dacad7baca08452fcc1d577
- SHA1
  
  bb284b30a3d39019e4da6ec6d0d76a9bd0b879a7
- SHA256
  
  1a147476f428a3e54505880bb38adb56b8b7dcf8e5d0d0312204396c41b81a1c
- SHA512
  
  86fcca800930fd2f72d36d00b6695dda43966a2b26a1c86d5aa35a1d9e27927ff266bb5bb09e7fd46b5428fb5054f623f049ed7005b8d82055e5af71c86c4355
- SSDEEP
  
  1536:p/ToOEjzAw7Y2r7DUsV4XzY9t3jSagJYwehV:BoOAcw7nXDUsOjm3jTxhV
Score

10^/10

darkgate admin888 persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkgateadmin888persistencestealer

© 2018-2025

Terms | Privacy