darkgate | f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34 | Triage

Submit
Reports

Overview

overview

Static

static

1

a777dd29c0...a5.lnk

windows7-x64

a777dd29c0...a5.lnk

windows10-2004-x64

Sharing

General

Target

a777dd29c0c24492eae7a4170d1599a5.bin
Size

1KB
Sample

240312-eatq5she22
MD5

a777dd29c0c24492eae7a4170d1599a5
SHA1

a854b705c05dd4503d6de331cf1ad2716221c230
SHA256

f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34
SHA512

5b0a100f1d0f61f3f87cc0f00e1be2096e009fe7b690dd37f32a4e3bb1d47495130e604f013ec1cf8f0616262b65d46090f5c3c81ee04172a9736a2b37994425

Score

10^/10

darkgate admin000 persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

a777dd29c0c24492eae7a4170d1599a5.lnk

Resource

win7-20240221-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

a777dd29c0c24492eae7a4170d1599a5.lnk

Resource

win10v2004-20240226-en

darkgate admin000 persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://206.188.196.222/w1

Extracted

Language

hta

Source

URLs

hta.dropper

http://206.188.196.222/w1

Extracted

Family

darkgate

Botnet

admin000

C2

145.239.202.110

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WXMqRdAD
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin000

Targets

- Target
  
  a777dd29c0c24492eae7a4170d1599a5.bin
- Size
  
  1KB
- MD5
  
  a777dd29c0c24492eae7a4170d1599a5
- SHA1
  
  a854b705c05dd4503d6de331cf1ad2716221c230
- SHA256
  
  f31c862a31ee968dafb32532059403438d2cfa5aaf8b5b1ad089b6ac027cec34
- SHA512
  
  5b0a100f1d0f61f3f87cc0f00e1be2096e009fe7b690dd37f32a4e3bb1d47495130e604f013ec1cf8f0616262b65d46090f5c3c81ee04172a9736a2b37994425
Score

10^/10

darkgate admin000 persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Detect DarkGate stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgateadmin000persistencestealer

© 2018-2025

Terms | Privacy