darkgate | ad806df85dfb29cca1f3a2c99ed069c30cd870bae9d47f2de4c7ce727b9622ec | Triage

Submit
Reports

Overview

overview

Static

static

1

dark.vbs

windows7-x64

3

dark.vbs

windows10-2004-x64

Sharing

General

Target

dark.vbs
Size

5KB
Sample

240303-p2npbabb92
MD5

3b2e1c5604f68a43495f3829c31f12e3
SHA1

ddc0158fa56458c9235598fdbf2ff49d87c93bb1
SHA256

ad806df85dfb29cca1f3a2c99ed069c30cd870bae9d47f2de4c7ce727b9622ec
SHA512

853b8afbffbbf8a24639f27fd2ddd5b5713e85f7ddcd8a020a050ba40fcf391cf29aa047cfc335b69b5828b740f145b6b27b1149f07234817b991545b3ab38f6
SSDEEP

96:DaUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0m:DaU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9I

Score

10^/10

darkgate pruebasvbs persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

dark.vbs

Resource

win7-20240221-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

dark.vbs

Resource

win10v2004-20240226-en

darkgate pruebasvbs persistence stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

pruebasvbs

C2

149.56.252.31

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
mwsMGaLY
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
pruebasvbs

Targets

- Target
  
  dark.vbs
- Size
  
  5KB
- MD5
  
  3b2e1c5604f68a43495f3829c31f12e3
- SHA1
  
  ddc0158fa56458c9235598fdbf2ff49d87c93bb1
- SHA256
  
  ad806df85dfb29cca1f3a2c99ed069c30cd870bae9d47f2de4c7ce727b9622ec
- SHA512
  
  853b8afbffbbf8a24639f27fd2ddd5b5713e85f7ddcd8a020a050ba40fcf391cf29aa047cfc335b69b5828b740f145b6b27b1149f07234817b991545b3ab38f6
- SSDEEP
  
  96:DaUEmyDTEBzylU+/V9rkcQ3tZUHg4KRZZoPC8Wuo9d3uV0m:DaU0TEBzj+/V9g/tZUHg4KR/oa8Wuo9I
Score

10^/10

darkgate pruebasvbs persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgatepruebasvbspersistencestealer

© 2018-2025

Terms | Privacy