BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DarkGate

72
Global rank
41 infographic chevron month
Month rank
36 infographic chevron week
Week rank
51
IOCs

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Loader
Type
ex-USSR
Origin
15 November, 2018
First seen
27 February, 2024
Last seen
Also known as
Meh

How to analyze DarkGate with ANY.RUN

Type
ex-USSR
Origin
15 November, 2018
First seen
27 February, 2024
Last seen

IOCs

IP addresses
87.106.16.115
89.248.193.66
185.185.26.117
82.223.37.94
37.0.124.60
Hashes
46c785b72c3e85f73e621ca12e1a92bd00ea0153833ed46ad574b0242013a818
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
b79b536569c0060a834e4001289a6700692d67df58e644779fababf0df22fc75
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
93b2ff7f3570b4d91283027e41cbf1ce1f1f3b452d739a66c112612c664d9672
ca2af2316629b492968b1ccd2548bd4031d6722b726bac694f00380cd320b510
8979e74303550e257eb92225507bf2fb128cebde5f3f6e36b4236e822e194f64
8a88083a6168893eae13e60aed817aae6342bd84c66c95dc0e2e8d5054a8885d
761637d44066023ec2207240c658f7a4ada3777f31d653b8a220eb47c754f066
301158ffb44a9824deeec16bdc7dabdc328b9f3ecde0df048741218285d8bcc8
2824b4f5365025f5b0cb2bc956c2a46336fde086e0d56625d50375b6374251c8
4c324a8f0f395dc9a69854ec9c3917ac2bc9809a7a585c8b0c0e786f02a564d8
2b24c4c883a562d0326846ee1c92840144d1d755cdb721b24a35038ea92aa0e4
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168
b0648d3e4f8eb5c0c83083be84748e39fffe64aec7bdefc3634193b181935e3d
c17d11aee8e1bb6d556849b44670b002c4df26dd141fdac36fd60f6b58d629f1
00985db874d9177de4a18999f7a420260b3a4665ba2b5b32aa39433ef79819df
7fc3126b9c53816657076b62188f9905067ec4b070deea5999cd6d7aa3c85c76
a410f736fa5c3e9030ee8a7ce718960317f070dc958df10652f603b784eb5683
0f1545a7176c45b0e7f9198cac8972167e5846e8b84cd40926f7edf338eeace2
URLs
http://piret-wismann.com/
http://87.106.16.115:9061/
http://zochao.com/
http://185.130.227.202/
http://80.85.152.122/
http://80.66.88.145/
http://taochinashowwers.com/
http://94.228.169.143/
http://89.248.193.66/
http://89.248.193.66:2351/
http://uiahbmajokriswhoer.net/
http://annoyingannoying.vodka/
http://cheneseemeg7575.cash/
http://saintelzearlava.com/
http://trans1ategooglecom.com/
http://vintagecarsforlife.com/
http://prestige-castom.com/
http://getldrrgoodgame.com/
http://127.0.0.1:65432/SSO
http://5.188.87.58/
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 867
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 333
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 315
comments 0

What is DarkGate malware?

DarkGate is a loader malware family that was first detected in 2018 and has since been continuously undergoing serious development, significantly expanding its functionality. This malicious software is notable for the use of various evasion techniques, such as process hollowing.

It is distributed based on the malware-as-a-service (MaaS) model by its developer who goes by the name RastaFarEye on popular Darkweb forums. According to the creator of the malware, they have been developing it since 2017.

As of the beginning of 2024, RastaFarEye offers only 30 seats per month to those willing to purchase a subscription, which is priced at $15,000/mo. The malware has been observed to be used by known threat actors in different attacks involving data theft and extortion. Operators get to control the malware via a special panel.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 8, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

Technical details of the DarkGate malicious software

DarkGate is a multi-functional malware, meaning that it can be employed for a range of malicious purposes. Here is an overview of its key capabilities:

  • DarkGate can execute malware to memory, making it more difficult to detect and remove.
  • It can remotely control the victim's computer, giving the attacker complete access to the victim's data and system, as well as log its keystrokes and take screenshots.
  • DarkGate can browse and manage files on the victim's computer.
  • It can steal the victim's passwords, credit card numbers, cookies, history, and other sensitive information from their web browsers.
  • The malware can gain administrator privileges on the victim's computer, giving the attacker even more control over the system.
  • DarkGate can steal the victim's Discord login token, which can be used to log in to their account and steal their data.
  • It is also equipped with a cryptominer, allowing operators to mine various cryptocurrencies using the victim's computer's CPU and/or GPU.

The DarkGate virus achieves persistence, making sure it stays on the computer even after a restart, in several ways. For instance, it can create a shortcut in the Startup folder or change a setting in the registry. Additionally, it employs Asynchronous Process Call injection.

In order to evade antivirus software, DarkGate has the functionality to check the presence of a list of popular security products on the system. It also has an anti-sandboxing capability, where it can detect a virtual machine environment and halt or adjust its execution.

All the communication with the command and control (C2) server is performed via HTTP and is obfuscated.

Execution process of DarkGate attacks

Despite having an anti-sandboxing capability, DarkGate can be easily analyzed in ANY.RUN. As a result, we can easily detect the malware and observe its activity by simply uploading its sample to the sandbox.

DarkGate threat details shown in ANY.RUN DarkGate`s threat details demonstrated in ANY.RUN

The execution chain of DarkGate may vary depending on the versions and other factors. In some instances, the entire execution chain is contained in a single file that facilitates all activities post-infection. Let's examine our sample.

DarkGate may perform process hollowing into certain processes within the infected operating system. This can include TabTip32, BraveUpdate, MicrosoftEdgeUpdate, ielowutil, or, in our case, GoogleUpdate. This malware often utilizes AutoIT scripts and files for injection and execution of shellcode and other malicious activities. The primary malicious activities are executed through the injected GoogleUpdate process. It adds itself to the startup directory, checks for the presence of antivirus software, connects to the command and control server (C2), downloads payloads, and more.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the DarkGate malware

Like other common malware families, including Remcos and njRAT, DarkGate infiltrates systems through deceptive emails.

However, instead of directly embedding malware into an email attachment, DarkGate typically utilizes malicious links that direct users to compromised websites hosting MSI installer files. When unsuspecting users download and execute these infected MSIs, the DarkGate malware silently installs itself on their computers. Once embedded, DarkGate begins to steal sensitive information and perform other similar actions.

Conclusion

DarkGate is an extremely capable malware that is operated by infamous threat groups, which puts it on a list of major cybersecurity concerns. To ensure your organization has the capacity to avoid becoming another victim of the malware, you need to have access to up-to-date information on DarkGate.

Utilize the ANY.RUN sandbox to examine the latest samples of DarkGate and gather up-to-date insights into their behavior patterns. Uncover the TTPs employed by the malware and collect its indicators of compromise. Leverage ANY.RUN's interactive malware analysis approach to safely interact with the malware as if on your own device, extracting even more relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy