Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkGate

82
Global rank
100 infographic chevron month
Month rank
83
Week rank
0
IOCs

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Loader
Type
ex-USSR
Origin
15 November, 2018
First seen
7 February, 2025
Last seen
Also known as
Meh

How to analyze DarkGate with ANY.RUN

Type
ex-USSR
Origin
15 November, 2018
First seen
7 February, 2025
Last seen

IOCs

IP addresses
5.252.178.193
94.131.101.186
79.132.128.47
5.252.177.104
138.124.183.34
91.222.173.149
87.106.16.115
194.26.192.57
194.26.192.233
5.252.177.24
72.142.184.241
136.244.92.148
81.187.9.122
95.179.241.172
94.156.6.6
45.154.98.21
5.181.159.77
95.179.164.94
78.142.18.222
5.181.159.64
Domains
wegrowcoaching.com
toonotion.com
bizabiza.mywire.org
coienubase.com
mainsercheronlinehostingbot.com
pjnbadfjandkadm3kd.com
notionbox.org
duelmener-naturtrailpark.org
s2notion.com
lili19mainmasters.com
newdomainfortesteenestle.com
boxmedrbopdrv.com
stachmentsuprimeresult.com
afnoticias.site
vn.abcxzy.com
ns1.starupsysteme.com
onlineserviceboonkers.com
cash-handling-app.my.id
aakritifitness.com
jeraldsin3dsajdklafdmonk.com
URLs
http://sanibroadbandcommunicton.duckdns.org/
http://185.130.227.202/
http://jordanmikejeforse.com/
http://81.19.135.17/
http://piret-wismann.com/
http://adhufdauifadhj13.com/
http://80.66.88.145/
http://87.106.16.115:9061/
http://zochao.com/
http://80.85.152.122/
http://taochinashowwers.com/
http://94.228.169.143/
http://89.248.193.66/
http://89.248.193.66:2351/
http://uiahbmajokriswhoer.net/
http://cheneseemeg7575.cash/
http://annoyingannoying.vodka/
http://saintelzearlava.com/
http://trans1ategooglecom.com/
http://vintagecarsforlife.com/
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 220
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 596
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1488
comments 0

What is DarkGate malware?

DarkGate is a loader malware family that was first detected in 2018 and has since been continuously undergoing serious development, significantly expanding its functionality. This malicious software is notable for the use of various evasion techniques, such as process hollowing.

It is distributed based on the malware-as-a-service (MaaS) model by its developer who goes by the name RastaFarEye on popular Darkweb forums. According to the creator of the malware, they have been developing it since 2017.

As of the beginning of 2024, RastaFarEye offers only 30 seats per month to those willing to purchase a subscription, which is priced at $15,000/mo. The malware has been observed to be used by known threat actors in different attacks involving data theft and extortion. Operators get to control the malware via a special panel.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

Technical details of the DarkGate malicious software

DarkGate is a multi-functional malware, meaning that it can be employed for a range of malicious purposes. Here is an overview of its key capabilities:

  • DarkGate can execute malware to memory, making it more difficult to detect and remove.
  • It can remotely control the victim's computer, giving the attacker complete access to the victim's data and system, as well as log its keystrokes and take screenshots.
  • DarkGate can browse and manage files on the victim's computer.
  • It can steal the victim's passwords, credit card numbers, cookies, history, and other sensitive information from their web browsers.
  • The malware can gain administrator privileges on the victim's computer, giving the attacker even more control over the system.
  • DarkGate can steal the victim's Discord login token, which can be used to log in to their account and steal their data.
  • It is also equipped with a cryptominer, allowing operators to mine various cryptocurrencies using the victim's computer's CPU and/or GPU.

The DarkGate virus achieves persistence, making sure it stays on the computer even after a restart, in several ways. For instance, it can create a shortcut in the Startup folder or change a setting in the registry. Additionally, it employs Asynchronous Process Call injection.

In order to evade antivirus software, DarkGate has the functionality to check the presence of a list of popular security products on the system. It also has an anti-sandboxing capability, where it can detect a virtual machine environment and halt or adjust its execution.

All the communication with the command and control (C2) server is performed via HTTP and is obfuscated.

Execution process of DarkGate attacks

Despite having an anti-sandboxing capability, DarkGate can be easily analyzed in ANY.RUN. As a result, we can easily detect the malware and observe its activity by simply uploading its sample to the sandbox.

DarkGate threat details shown in ANY.RUN DarkGate`s threat details demonstrated in ANY.RUN

The execution chain of DarkGate may vary depending on the versions and other factors. In some instances, the entire execution chain is contained in a single file that facilitates all activities post-infection. Let's examine our sample.

DarkGate may perform process hollowing into certain processes within the infected operating system. This can include TabTip32, BraveUpdate, MicrosoftEdgeUpdate, ielowutil, or, in our case, GoogleUpdate. This malware often utilizes AutoIT scripts and files for injection and execution of shellcode and other malicious activities. The primary malicious activities are executed through the injected GoogleUpdate process. It adds itself to the startup directory, checks for the presence of antivirus software, connects to the command and control server (C2), downloads payloads, and more.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering threat intelligence on Darkgate malware

To collect up-to-date intelligence on Darkgate, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like Darkgate.

Darkgate ANY.RUN Search results for Darkgate in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"darkgate" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from DarkGate samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of the DarkGate malware

Like other common malware families, including Remcos and njRAT, DarkGate infiltrates systems through deceptive emails.

However, instead of directly embedding malware into an email attachment, DarkGate typically utilizes malicious links that direct users to compromised websites hosting MSI installer files. When unsuspecting users download and execute these infected MSIs, the DarkGate malware silently installs itself on their computers. Once embedded, DarkGate begins to steal sensitive information and perform other similar actions.

Conclusion

DarkGate is an extremely capable malware that is operated by infamous threat groups, which puts it on a list of major cybersecurity concerns. To ensure your organization has the capacity to avoid becoming another victim of the malware, you need to have access to up-to-date information on DarkGate.

Utilize the ANY.RUN sandbox to examine the latest samples of DarkGate and gather up-to-date insights into their behavior patterns. Uncover the TTPs employed by the malware and collect its indicators of compromise. Leverage ANY.RUN's interactive malware analysis approach to safely interact with the malware as if on your own device, extracting even more relevant information.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Sliver screenshot
Sliver
sliver
Sliver is an open-source command-and-control (C2) framework that has been increasingly adopted by threat actors as an alternative to tools like Cobalt Strike. Developed by security firm Bishop Fox, Sliver was initially intended for legitimate security testing and red teaming exercises. However, its robust features and open-source nature have made it attractive to malicious actors seeking to control compromised systems.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More