darkgate | 793b4e318eba9ef99173836a92ef2959a9ff73026647c0714ab7280f0dbe3fac | Triage

Submit
Reports

Overview

overview

Static

static

1

filter0912.2.vbs

windows7-x64

3

filter0912.2.vbs

windows10-2004-x64

Sharing

General

Target

filter0912.2.vbs
Size

250B
Sample

241210-mk32katkcw
MD5

0f5e506c6622ef23867764b600e2c4b4
SHA1

e6b079ecc9537672cc3b8390b0509770045b9bbd
SHA256

793b4e318eba9ef99173836a92ef2959a9ff73026647c0714ab7280f0dbe3fac
SHA512

48fca5308d3a37a7ab974c299c689ce8122b355eb44fe8bc033c80481f73fe74c13586b122d8e86fcd4d26d24153e5a034a8e7262801e3716a2010cbbc8f0b85

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

filter0912.2.vbs

Resource

win7-20240729-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

filter0912.2.vbs

Resource

win10v2004-20241007-en

darkgate drk3 discovery execution persistence stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

darkgate

Botnet

drk3

C2

todayput.shop

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
sEhfQzVh
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Targets

- Target
  
  filter0912.2.vbs
- Size
  
  250B
- MD5
  
  0f5e506c6622ef23867764b600e2c4b4
- SHA1
  
  e6b079ecc9537672cc3b8390b0509770045b9bbd
- SHA256
  
  793b4e318eba9ef99173836a92ef2959a9ff73026647c0714ab7280f0dbe3fac
- SHA512
  
  48fca5308d3a37a7ab974c299c689ce8122b355eb44fe8bc033c80481f73fe74c13586b122d8e86fcd4d26d24153e5a034a8e7262801e3716a2010cbbc8f0b85
Score

10^/10

execution darkgate drk3 discovery persistence stealer
- DarkGate
  DarkGate is an infostealer written in C++.
  stealer darkgate
- Darkgate family
  darkgate
- Detect DarkGate stealer
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkgatedrk3discoveryexecutionpersistencestealer

© 2018-2025

Terms | Privacy