Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkGate

79
Global rank
70 infographic chevron month
Month rank
79 infographic chevron week
Week rank
0
IOCs

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Loader
Type
ex-USSR
Origin
15 November, 2018
First seen
26 December, 2024
Last seen
Also known as
Meh

How to analyze DarkGate with ANY.RUN

Type
ex-USSR
Origin
15 November, 2018
First seen
26 December, 2024
Last seen

IOCs

IP addresses
88.214.25.32
91.212.166.91
184.174.97.32
109.172.88.38
164.132.5.124
94.103.85.114
93.185.159.253
46.8.236.61
145.223.116.66
209.151.151.172
46.8.232.106
185.238.169.17
109.172.87.135
65.87.7.151
172.81.60.122
147.28.163.206
8.211.34.166
45.61.152.154
66.78.40.86
185.130.47.96
Domains
harlemsupport.com
brownswer.com
clickminded.agency
aspava-yachting.com
winmetrica.info
wmpssvc.online
wscsvc.online
snastiisani.xyz
tnecharise.me
wmiadap.sbs
webkruzjevo.site
weventlog.store
remote.hipool.shop
bigdealcenter.world
todayput.shop
tnecharise.biz
8sjimonstersboonkonline.com
adhufdauifadhj13.com
posetoposeschool.com
dropmeafile.com
URLs
http://sanibroadbandcommunicton.duckdns.org/
http://185.130.227.202/
http://jordanmikejeforse.com/
http://81.19.135.17/
http://piret-wismann.com/
http://adhufdauifadhj13.com/
http://80.66.88.145/
http://87.106.16.115:9061/
http://zochao.com/
http://80.85.152.122/
http://taochinashowwers.com/
http://94.228.169.143/
http://89.248.193.66/
http://89.248.193.66:2351/
http://uiahbmajokriswhoer.net/
http://cheneseemeg7575.cash/
http://annoyingannoying.vodka/
http://saintelzearlava.com/
http://trans1ategooglecom.com/
http://vintagecarsforlife.com/
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q4, 2024 
watchers 232
comments 0
post image
Integrate ANY.RUN Threat Intelligence Feeds w...
watchers 2097
comments 0
post image
2024 Wrapped: A Year of Growth, Innovation, a...
watchers 156
comments 0

What is DarkGate malware?

DarkGate is a loader malware family that was first detected in 2018 and has since been continuously undergoing serious development, significantly expanding its functionality. This malicious software is notable for the use of various evasion techniques, such as process hollowing.

It is distributed based on the malware-as-a-service (MaaS) model by its developer who goes by the name RastaFarEye on popular Darkweb forums. According to the creator of the malware, they have been developing it since 2017.

As of the beginning of 2024, RastaFarEye offers only 30 seats per month to those willing to purchase a subscription, which is priced at $15,000/mo. The malware has been observed to be used by known threat actors in different attacks involving data theft and extortion. Operators get to control the malware via a special panel.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

Technical details of the DarkGate malicious software

DarkGate is a multi-functional malware, meaning that it can be employed for a range of malicious purposes. Here is an overview of its key capabilities:

  • DarkGate can execute malware to memory, making it more difficult to detect and remove.
  • It can remotely control the victim's computer, giving the attacker complete access to the victim's data and system, as well as log its keystrokes and take screenshots.
  • DarkGate can browse and manage files on the victim's computer.
  • It can steal the victim's passwords, credit card numbers, cookies, history, and other sensitive information from their web browsers.
  • The malware can gain administrator privileges on the victim's computer, giving the attacker even more control over the system.
  • DarkGate can steal the victim's Discord login token, which can be used to log in to their account and steal their data.
  • It is also equipped with a cryptominer, allowing operators to mine various cryptocurrencies using the victim's computer's CPU and/or GPU.

The DarkGate virus achieves persistence, making sure it stays on the computer even after a restart, in several ways. For instance, it can create a shortcut in the Startup folder or change a setting in the registry. Additionally, it employs Asynchronous Process Call injection.

In order to evade antivirus software, DarkGate has the functionality to check the presence of a list of popular security products on the system. It also has an anti-sandboxing capability, where it can detect a virtual machine environment and halt or adjust its execution.

All the communication with the command and control (C2) server is performed via HTTP and is obfuscated.

Execution process of DarkGate attacks

Despite having an anti-sandboxing capability, DarkGate can be easily analyzed in ANY.RUN. As a result, we can easily detect the malware and observe its activity by simply uploading its sample to the sandbox.

DarkGate threat details shown in ANY.RUN DarkGate`s threat details demonstrated in ANY.RUN

The execution chain of DarkGate may vary depending on the versions and other factors. In some instances, the entire execution chain is contained in a single file that facilitates all activities post-infection. Let's examine our sample.

DarkGate may perform process hollowing into certain processes within the infected operating system. This can include TabTip32, BraveUpdate, MicrosoftEdgeUpdate, ielowutil, or, in our case, GoogleUpdate. This malware often utilizes AutoIT scripts and files for injection and execution of shellcode and other malicious activities. The primary malicious activities are executed through the injected GoogleUpdate process. It adds itself to the startup directory, checks for the presence of antivirus software, connects to the command and control server (C2), downloads payloads, and more.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Darkgate malware

To collect up-to-date intelligence on Darkgate, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Darkgate.

Darkgate ANY.RUN Search results for Darkgate in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"darkgate" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from DarkGate samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the DarkGate malware

Like other common malware families, including Remcos and njRAT, DarkGate infiltrates systems through deceptive emails.

However, instead of directly embedding malware into an email attachment, DarkGate typically utilizes malicious links that direct users to compromised websites hosting MSI installer files. When unsuspecting users download and execute these infected MSIs, the DarkGate malware silently installs itself on their computers. Once embedded, DarkGate begins to steal sensitive information and perform other similar actions.

Conclusion

DarkGate is an extremely capable malware that is operated by infamous threat groups, which puts it on a list of major cybersecurity concerns. To ensure your organization has the capacity to avoid becoming another victim of the malware, you need to have access to up-to-date information on DarkGate.

Utilize the ANY.RUN sandbox to examine the latest samples of DarkGate and gather up-to-date insights into their behavior patterns. Uncover the TTPs employed by the malware and collect its indicators of compromise. Leverage ANY.RUN's interactive malware analysis approach to safely interact with the malware as if on your own device, extracting even more relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More