darkgate | ef989e3924e2f9e3fe7ec53fd870124b8f9174275428c36e03a991a55ce5ad54 | Triage

Submit
Reports

Overview

overview

Static

static

1

27022024_2...an.msi

windows7-x64

27022024_2...an.msi

windows10-2004-x64

Sharing

General

Target

27022024_2353_scan.msi
Size

5.7MB
Sample

240227-tb4p3add8v
MD5

50c85e84f91c3b7f1811380aeae9d606
SHA1

7703c4ec1ea28c2b9785eb02b5c11b7b226155eb
SHA256

ef989e3924e2f9e3fe7ec53fd870124b8f9174275428c36e03a991a55ce5ad54
SHA512

e5b2930d2c44d27af969f96b2040045b6a9a6d6ad6cd500a3b01b7b789e713f8bd6dc867a7d6bfc39b87004bfb67744899cb5e94e37bef142aa2f0e21fe7d02c
SSDEEP

49152:opUPXXhs0/Te0LjgIAkr5VbSPn9VISBdxXhYHGphbEEoGVupQMKk+/GTeonv3c9M:opEpoVR0mVERDCjk+Onva46G

Score

10^/10

darkgate admin888 discovery persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

27022024_2353_scan.msi

Resource

win7-20240221-en

darkgate admin888 discovery persistence stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

27022024_2353_scan.msi

Resource

win10v2004-20240226-en

darkgate admin888 discovery persistence stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

remasterprodelherskjs.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
kiQRLFmc
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Targets

- Target
  
  27022024_2353_scan.msi
- Size
  
  5.7MB
- MD5
  
  50c85e84f91c3b7f1811380aeae9d606
- SHA1
  
  7703c4ec1ea28c2b9785eb02b5c11b7b226155eb
- SHA256
  
  ef989e3924e2f9e3fe7ec53fd870124b8f9174275428c36e03a991a55ce5ad54
- SHA512
  
  e5b2930d2c44d27af969f96b2040045b6a9a6d6ad6cd500a3b01b7b789e713f8bd6dc867a7d6bfc39b87004bfb67744899cb5e94e37bef142aa2f0e21fe7d02c
- SSDEEP
  
  49152:opUPXXhs0/Te0LjgIAkr5VbSPn9VISBdxXhYHGphbEEoGVupQMKk+/GTeonv3c9M:opEpoVR0mVERDCjk+Onva46G
Score

10^/10

darkgate admin888 discovery persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkgateadmin888discoverypersistencestealer

behavioral2

darkgateadmin888discoverypersistencestealer

© 2018-2025

Terms | Privacy