{
	"id": "f5fdf318-1ae8-4c50-9fe7-3336c2ab7a56",
	"created_at": "2026-04-10T03:20:00.817243Z",
	"updated_at": "2026-04-10T03:22:17.837077Z",
	"deleted_at": null,
	"sha1_hash": "bc7db75a8ef443911a3ffabb1ef490ebf7b4a73e",
	"title": "Detailed Analysis of DarkGate; Investigating new top-trend backdoor malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2326318,
	"plain_text": "Detailed Analysis of DarkGate; Investigating new top-trend\r\nbackdoor malware\r\nBy S2W\r\nPublished: 2024-01-16 · Archived: 2026-04-10 02:53:45 UTC\r\n12 min read\r\nJan 16, 2024\r\nAuthor: Minyeop Choi | BLKSMTH\r\nLast Modified : Jan 16, 2024\r\nPress enter or click to view image in full size\r\nPhoto by Nikola Knezevic on Unsplash\r\nExecutive Summary\r\nDarkGate is a malware that has been developed since 2017 and sold as Malware-as-a-Service.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 1 of 23\n\nDarkGate was not widely used until 2021, but continued feature additions and modifications were made,\r\nand it is now found to be used in various attacks.\r\nDarkGate supports attackers able to do malicious acts to victims listed below.\r\n— Remote Code Execution by Reverse Shell or Remote Desktop such as VNC and AnyDesk.\r\n— Data Exfiltration on saved files, browser cookies, or cached passwords.\r\n— Cryptocurrency Mining using XMRig\r\n— Privilege Escalation using CVE-2021–1733 or Process Hollowing\r\n— Persistence Management for DarkGate itself\r\nDarkgate needs to be kept track as features are continuously added and detection bypasses occur.\r\nIntroduction\r\nRecently, cybercriminals had a new interest in loader/botnet malware called DarkGate. DarkGate has been\r\ndeveloped since 2017 and is being sold as MaaS (Malware-as-a-Service) by a user named RastaFarEye, who is\r\nactive in underground forums such as Exploit.in and XSS.is.\r\nPress enter or click to view image in full size\r\nFigure 1. Advertisement of DarkGate (XSS.is)\r\nDarkGate was not widely used until 2021, although it was first released in 2018. However, DarkGate has gained\r\ndemand by updating new features such as Loader, Miner, Remote Control, and Info-stealer. Also, they keep\r\napplying anti-analysis or bypass detection by monitoring the analysis report of DarkGate.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 2 of 23\n\nFigure 2. Patch note of DarkGate related to anti-analysis (Exploit. in)\r\nDarkGate is sold as Malware-as-a-Service at XSS.is and Exploit.in, priced at $1,000 per day, $15,000 per month,\r\nand $100,000 per year. They set a limit of 10 clients per month to keep their project secret but recently increased\r\nto 30 due to demand increases.\r\nPress enter or click to view image in full size\r\nFigure 3. Notice of increase in sales limit (Exploit.in)\r\nVarious threat actors such as TA577, Ducktail, UNC2975, and UNC5085 buy and utilize Darkgate in their attacks,\r\nwhich makes DarkGate distribute in various forms. Not only the well-known methods such as torrent or phishing\r\nmail but recently, some abuse the search engine’s AD system to make their phishing site appear on top of the\r\nresults to make victims access it and download DarkGate. DarkGate’s various functions and detection bypass\r\nmethods are continuously updated due to the active activities of creators and purchase attack groups, so periodic\r\ntracking of function updates is necessary.\r\nInformation of RastaFarEye\r\nThe contact information revealed by RastaFarEye is as follows,\r\nE-mail: coding_guru@exploit.im\r\nTox:\r\n09B950550CAD95899AC17C0B1384CD55C9BD81396B19EFFE2E80839D641D3221860ADEA89733\r\nTelegram: https://t[.]me/evtokens\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 3 of 23\n\nFigure 4. Banned RastaFarEye account profile (Exploit.in)\r\nCurrently, on the Exploit.in, RastaFarEye has been banned after receiving a report from a user for not notifying\r\nthat Packing (also called Crypto) is not applied by default when selling DarkGate. Nevertheless, since\r\nRastaFarEye has an account on XSS.is, we are expecting that they will continue their action in XSS.is.\r\nDetailed Analysis\r\nIn this section, we describe the structure of DarkGate and detailed analysis of its features. First, we will explain\r\nthe process of how DarkGate is distributed and installed, and then we will explain the functions that DarkGate\r\nhas.\r\nThe analysis mentioned in our report is based on the analysis of the files below. Based on the configuration\r\nsettings previously published by Trellix, this sample is identified as V5.\r\nSHA256: 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7\r\n1. Distribution Type\r\nDarkGate is mostly distributed in two forms; VBScript or Windows Installer Package(MSI). In the recent version\r\nof DarkGate, actors prefer MSI form since Windows deprecated VBScript.\r\nVBScript\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 4 of 23\n\nFigure 5. Execution Flow of DarkGate in VBScript Form (downloaded via PAPERTEAR)\r\nDarkGate, distributed in VBScript form, was delivered through messengers such as E-mail or Skype. Those cases\r\ntry to trick victims by making the dropper/downloader look like a document file such as using an LNK file, or\r\nadding spaces like “filename.pdf\u003cspaces\u003ewww.skype.vbs\". When the victim executes it, it downloads the Autoit\r\nscript file and Autoit launcher from the server. Autoit script contains the XOR encrypted bytecode, which will be\r\ndecrypted and injected into other processes. The VBS file that uses this method is named PAPERTAR, which is\r\nused by UNC2975.\r\nMSI(Windows Installer Package)\r\nNot much different from VBScript, recent DarkGate has an additional stage to execute Autoit script using DLL\r\nSide-loading to bypass the anti-virus detection.\r\nPress enter or click to view image in full size\r\nFigure 6. Execution Flow of DarkGate in MSI Form\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 5 of 23\n\nIn the DLL Side-loading stage, pure EXE files in the wild and malicious DLL file pairs such as windbg.exe and\r\nmalicious dbgeng.dll or KeyScrambler.exe and KeyScrambler.dll are used. Malicious DLL reads `data.bin`, which\r\nis extracted from MSI, and gets an additional payload to decrypt `data2.bin`, which contains AutoIt launcher and\r\nAutoit script. The rest of the process is the same as VBScript.\r\nAutoIT Loader\r\nAutoIT script executes bytecode by callback of EnumWindows to execute DarkGate. The structure of the\r\nbytecode is shown below.\r\n 90 nop\r\n E9 B9 03 00 00 jmp MZ_HEADER\r\nMZ_HEADER:\r\n 4D dec ebp ; ‘M’ - DOS header magic 1\r\n 5A pop edx ; ‘Z’ - DOS header magic 2\r\n 45 inc ebp ; Restore stack status\r\n 52 push edx ;\r\n E8 00 00 00 00 call $ ; push eip\r\n 58 pop eax ; eax = MZ_HEADER + 0x9\r\n 83 E8 09 sub eax, 0x9 ; eax = MZ_HEADER\r\n 50 push eax ; function call argument set\r\n 05 00 B0 00 00 add eax, 0xb000 ; eax = PE_LOADER = MZ_HEADER + 0xb000\r\n FF D0 call eax ; PE_LOADER(MZ_HEADER);\r\n C3 ret\r\n…\r\nPE_LOADER:\r\n … ; Load and Execute the PE data\r\nExecuted code extracts and decrypts the encrypted DarkGate in the script.au3 file and execute it.\r\n2. Characteristics of DarkGate\r\nIn this section, we describe the characteristics of DarkGate.\r\nCustom BASE64\r\nDarkGate encodes important constant strings in binary or data in C2 communication with Base64. However,\r\nDarkGate uses Base64 different table shown below.\r\nzLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=\r\nConfiguration\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 6 of 23\n\nDarkGate loads configuration saved in binary. In the case of the C2 server address, it is encoded in custom\r\nBase64. Other DarkGate settings are stored as plain text in the binary or encoded through Custom Base64. Plain\r\nDarkGate settings are formed as follows,\r\n0=2351\r\n1=Yes\r\n2=Yes\r\n3=No\r\n5=No\r\n4=100\r\n...\r\nIn each line, based on the equal sign, the setting key value is on the left, and the value assigned to the setting key\r\nis on the right. The meaning of the values stored in each setting key value is as shown in the table below, and there\r\nare a total of 30 values.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 7 of 23\n\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 8 of 23\n\nTable 1. DarkGate Configurations\r\nNote that some of the settings can be changed or deprecated by updates of DartGate. In the case of “Unknown”, in\r\nDarkGate v4 and v5 versions, the purpose of the use is not found or the type of storage and use are different.\r\nVaccine Detection\r\nDarkGate detects installed anti-virus into ten types listed below.\r\nPress enter or click to view image in full size\r\nTable 2. Targeted vaccine list\r\nIn addition to the vaccines included in the above 10 categories, DartGate detects additional vaccines as shown\r\nbelow, but the actual malicious actions performed do not change.\r\nAvira, Trend Micro, McAfee, SUPER AntiSpyware, Comodo, ByteFence, Search \u0026 Destroy, 360 Total\r\nSecurity, Total AV, IObit Malware Fighter, Emsisoft, QuickHeal, F-Secure, G Data\r\nIn the case of IObit Malware Fighter, DarkGate kills monitor.exe and smBootTime.exe repeatedly.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 9 of 23\n\nInitialize\r\nIf option 1 in DarkGate configuration is Yes, to maintain continuity, perform one of the following actions\r\ndepending on the type of installed vaccine.\r\n1. Register the LNK file that runs the malicious AU3 script as AutoIt3.exe in the startup program.\r\n2. Register the LNK file to Run the Register.\r\nIf Bitdefender (1), Quick Heal (6), Kaspersky (9), or KES (10) mentioned above are installed and the LNK file or\r\nregistry that runs DarkGate does not exist, DarkGate shuts down the infected computer. If the Bitdefender (1)\r\nexists, it uses NtRaiseHardError with the STATUS_HOST_DOWN error code to cause a BSOD on the infected\r\ncomputer. According to the author’s post, it appears to have been implemented to copy to a safe path and shut\r\ndown the device when it is recognized as being detected by an antivirus.\r\nPress enter or click to view image in full size\r\nFigure 7. Patch note of DarkGate persistence (Exploit.in)\r\nC2 Communication\r\nDarkGate uses HTTP POST requests to communicate with the C2 server. At this time, a custom Base64 table\r\ndifferent from the one mentioned above is used for the data. The process of how DarkGate creates the final body\r\ndata for C2 is as follows.\r\n1. Calculate `MD5(\u003cUsername\u003e + \u003cComputer Name\u003e + \u003cProduct ID\u003e + \u003cProcessor Name\u003e)`\r\n2. HEX encodes and applies substitute cipher to hash value (Substitute cipher table: 0123456789ABCDEF -\u003e\r\nabcdefKhABCDEFGH)\r\n3. Add every byte in step 2’s result.\r\n4. Set the random seed with step 3’s result, and mix Custom Base64 table based on the random seed.\r\nHere, the data to be sent is encoded using the newly created Base64 table, and the string calculated in step 2 is\r\nattached to the encoded data and sent together.\r\nRequest \u0026 Response\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 10 of 23\n\nAfter all initial processes are completed, DarkGate periodically requests commands from the C2 server. DarkGate\r\ntransmits data in the following format. Note that the entire data is encrypted using the newly created Base64 table.\r\n1000|\u003cElapsed time since execution(sec)\u003e|\u003cVersion of DarkGate\u003e|\u003cPermission\u003e|22|\r\nThen C2 identifies the client through the data and sends and controls the data as follows.\r\n\u003c4 digits command id\u003e\u003cencrypted data\u003e\r\nThe command is executed according to the received 4-digit number, and if data is required according to the\r\ncommand, it is encrypted and transmitted through a newly created Base64 table.\r\n3. DarkGate Commands\r\nWe now talk about the malicious actions that DarkGate can do. Because there are too many commands that C2 can\r\nsend, we categorized those commands for better explanation. Note that each command's availability or command\r\nID can be different between versions of DarkGate.\r\nKeylogging\r\nKeylogging executes immediately after initial setup, regardless of the C2 command. The results are saved in a file\r\nin DD-MM-YYYY.log format, and the storage path varies depending on the version. C2 can retrieve or delete\r\nstored keylogs as needed.\r\nPress enter or click to view image in full size\r\nTable 3. Commands of Keylogging\r\nCollect Information\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 11 of 23\n\nTable 4. Commands of collecting information\r\nManage Files\r\nPress enter or click to view image in full size\r\nTable 5. Commands related to file managing\r\nSteal Credentials\r\nWe can see that software created by NirSoft is used to steal various types of information. The existence of lol.exe\r\nused in the 1011 and 1012 commands could not be confirmed in the sample, but usage of /shtml and /stext\r\nargument in command among the software made by NirSoft and the skype.txt file name. It can be assumed that it\r\nis SkypeLogView that steals Skype information.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 12 of 23\n\nTable 6. Commands related to stealing credentials\r\nRemove Data/Backups\r\nDarkGate performs various malicious actions by utilizing programs or processes related to the browser. Here, the\r\nabove function appears to exist to delete APPDATA related to the browser used and left behind by the malicious\r\ncode. It is also believed that there is a function to delete restore points to prevent restoration to the time before\r\ninfection.\r\nPress enter or click to view image in full size\r\nTable 7. Commands related to removing data/backups\r\nPrivilege Escalation\r\nDarkGate attempts to escalate privileges in two ways. One method is using PsExec to obtain SYSTEM\r\nprivileges(CVE-2021–1733), and the other method is the Process Hollowing method.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 13 of 23\n\nTable 8. Commands related to privilege escalation\r\nCrypto Mining\r\nAnalysis of related binary was not possible because additional downloaded data could not be received. Besides,\r\nwe could get a clue by analyzing through information existing in DarkGate. Cryptocurrency mining supported by\r\nDarkGate uses XMRig to support mining using CPU and GPU and to mine Monero.\r\nPress enter or click to view image in full size\r\nTable 9. Commands related to mining\r\nInspect Network\r\nThese functions trigger proxies to steal internet communication by setting up these registers.\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\n— Key: ProxyEnable\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n— Key: ProxyServer\r\nPress enter or click to view image in full size\r\nTable 10. Commands related to an Internet proxy\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 14 of 23\n\nGUI Control\r\nDarkGate supports remote control through the display. Attackers can use virtual display via Hidden VNC or\r\nHidden AnyDesk, or use the originally installed display. It also can hide the process by running on top of the\r\nbrowser process.\r\nPress enter or click to view image in full size\r\nTable 11. Commands related to remote display\r\nReverse Shell\r\nDarkGate also supports the use of traditional reverse shells. However, interaction with the reverse shell must be\r\ndone through DarkGate and can be transmitted through command 1467. The shell executed here uses the shell\r\nwritten in the environment variable COMSPEC.\r\nPress enter or click to view image in full size\r\nTable 12. Commands related to reverse shell\r\nRun \u0026 Manage Processes\r\nDarkGate supports various ways to execute code or programs. Not only just launching them, but also DarkGate\r\nsupports Code Injection, Process Hollowing, and PPID spoofing to avoid detection.\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 15 of 23\n\nPress enter or click to view image in full size\r\nTable 13. Commands related to processes\r\nManaging DarkGate\r\nAttackers can enable the test mode of some functions or debug messages to check DarkGate status. Also, it is\r\npossible to update or remove DarkGate remotely.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 16 of 23\n\nTable 14. Commands related to the DarkGate setting\r\nETC\r\nDepending on the system situation, there are functions supported by DarkGate to interrupt the user or maintain\r\noperation. To terminate the monitor, it uses the SC_MONITORPOWER message in SendMessageA. Disabling\r\nsleep mode uses SetThreadExecutionState to prevent sleep mode.\r\nPress enter or click to view image in full size\r\nTable 15. ETC commands\r\nConclusion\r\nDarkGate is a malware that, when installed on a target computer, allows attackers to perform various\r\ncommands such as information theft, cryptocurrency mining, and execution of arbitrary programs.\r\nDarkgate first appeared in 2017 and is sold only to a small number of attack groups in the form of\r\nMalware-as-a-Service through underground forums.\r\nDarkGate continues to update it by adding features and fixing bugs based on analysis results from security\r\nresearchers and vendors.\r\nOn the fact that the structure and function of malware are continuously changing, it is expected that\r\ntracking these changes will be necessary to prevent damage.\r\nReference\r\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nhttps://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/\r\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\r\nhttps://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html\r\nhttps://www.netskope.com/blog/new-darkgate-variant-uses-a-new-loading-approach\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 17 of 23\n\nAppendix A. IoCs\r\nFile hash (VBS)\r\na448c4abbb2f1844a8fa0c929cd84c2f6f57a4af0442a6a4b5307af89c35cef6\r\nbc80b13b639ee4b4a6a79555cb4daf3ec360682322ffae68c1272b5aed8b1593\r\ne2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243\r\nFile hash (MSI)\r\n5b608a6729343cf8b6752d5bb201f906920fcb472f5949e04173b907f65ceff1\r\n6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70\r\n394ee7c88a0925698ce1a2e0268ca49404591eb5cdd961d657d785993212cd86\r\naa92f9692dfa98ba9ee991156612f2015c10a5ecf02b605b0b6d528827430601\r\nde2064d4363a3ccbda5518c619f1c803393b0876e349530583a72b1d1643c16a\r\n54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816\r\n9f48b63528a24a1241f0bc793e960d420314d595c9927e2294f4475c4be143cd\r\n9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3\r\n23885818c2a665d5a57ba16acfe46db68258da619a8db3df8f069c0205ac648e\r\n9b9514d5af8a9c92e7596dc15aadba0defaedd9f08ec50a588279aa6f6b8ea80\r\n0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7\r\nc9b3e70c459be9643f764afd535976f9d308d098e1476013de431e7aea22b3e9\r\nbb37b05a34b2547941efdceee54ec8745e2ce7a7d5d0968c3b5c10274dc81880\r\n5be83d13f20b4a044a8c8281d13723a808555cdd73a7ddcec37422a4e44fbd4e\r\n4e48d4c355ceb58267a29fd3337b101722c805a7e53662816b73ce9b756ae321\r\nbde8e0c4bc687ea485fd4a00c86bd25ab14a04edf9b2bbc03808e9b86074717b\r\ncde0f0b6a29a11aa8a5a4ee543fd632cb460bc11927c7153c1f5f8664e474d23\r\n01e578a65a143c884f054c96574f2f9e203b49f47ebf74a0749ff484866b2eb7\r\n3a5e7ce24fc5a18843e4f877f5c704bf95eb90c039bc8d791273c191e4ca3242\r\n4325d78175a803fb6a1d235e8255816a07283501087e1b115f28c38b6b542856\r\nFile hash (CAB)\r\n22933b3ae7d125f312b6d1fe6356092cdcd1def6dca3ad128de65ba7986266ae\r\nf8fcf37ab1e391d1809c4b5baf00d669c4263682d99230432c5199bde5914a60\r\na3fc0ef279b5717d0b0dcbe25f8e543efee252cc116336a744968279ce9d3c29\r\n1776dcbc4a3f430dd5ace833aac80b0954a050e5a7dec164b53b62fbe72feab3\r\n59c026ed7f98aff21521b7a76845821aa5f1ce1a978d1c90404c073bd6310a1d\r\nacad12dd611551ee4cdfd9fba7dd06c1f6a7c4d8cd8619cbbafa3d8f88bde910\r\n659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743\r\n7c6fa5cec54bc8afa51376db19c9c83d7c17f6e21ce761bfb1daeb7ad31d898d\r\n6610e152e07225c91a723f3b65e33af4b0df0d816dd69fe73f9d25dc0fc975d4\r\nb7874a778f21b2d21a2a2ab2c2ec4a7ae5042443e1d3f20a070424d628079056\r\n00dbb5f6bbb9c230fc0c7f7526b46d697850587b30d0b4f4d54106eb3a3d5410\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 18 of 23\n\nfa0a47360f68f211413d582d2c73035594a9191c2399c52612c940b45402065f\r\n2caa6b5e92ad4c772166860d428d388a4fa376c5adc439b10ee2f045e0a1b003\r\n2bf6b1dcb11e7e32b353e0c135aca9c979177d14aa9834119cd8e4c1a5b08562\r\n2d08809875f2cfcbe4538d11ee5537768beba0b7740e1785ac35fd90d32e5c25\r\n6bc0a512fa3d69c724c2a0aaea8f915795f9c0ef68617dbd32d3b78ee5cddc06\r\n70e79ddbcc5bb1f9d40133e4f3dbcea6362794854d47b6a2081f1439ff795dcd\r\n37ea8a57e3d3964448238aff31125381c7063b98e1fe0d83a20b315b70546c94\r\n6a81b3d6606bd5c4f9d3484719ec35fc6d2dedb902a85553705a71a6e1273104\r\nb2db96bae6065dbea52711c6f732a29bd39cbb4e81dde9e7d854d52cfb1970f0\r\nFile hash (AutoIt)\r\n8458a43245c6ff9e3d688a8393f692d3088bf5338ae810ff78b8b3a1d751a87e\r\n09bf1b88716c49a62cb4ff708f7ff4f09cb7c3ff42e58661802cd66f1a2a0311\r\n7999c9ba66c57b8f2932f54db723feeef411295f8ed6a6d403376278153745c6\r\n2ffb2a102df381c9688cc78c2cba4faa6a561d5aa78a9163888ebf7c73bdc8d0\r\n453e7fabfa2d6fca1f9a5b9edc456e46417d8fb76332d397a39fcc8e76ccf54f\r\n96c84918db77c8bc7d5080aca1b618f7ea7c824d27f67b2346364756f04b3226\r\n20cd543224dc3229dece35f018678a52fc98e533596e4995a5534bde0e7e161f\r\nf02928ec21ad8c600eef3e3a006581a3af858975cbc2ad29ba3dfdd1a78d3cb9\r\nc6bce64cf86ff6f6b52b9ffa8b8dc2283645b9f0cea7391117d5dd80c2092ce6\r\nb7c6b567eab740efa575826c94f4c9c552ed5894b8b3ef57e77959b740d8bec8\r\n1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622\r\nb68736ce13dd44a60e7c462b4f451a4132187a0b76adf9cc201a1468379e7601\r\nb6b2b1773fbd354cc7fcf409f4b4208e570be077658c2a92ea59319c250d9f8c\r\nbd8fc787abfebba8d167e9979c2ec692f861ab21ea138c3381daa852a58677be\r\nfffa5abebf578cfc2200b4856889e397e412e56c5bff0032d2d7565d9286685f\r\n22d5fdd23ff4302517d5652375ee5ec3bfb28cb964015b3e9902d2398c908fd9\r\n684b3445349d8e08e2f2d33f3b30d509a3fde82cb798ccbad2726105301a9470\r\nda27475894815900fefb9d383de0d255bfa3b7a22927b2912a2d614742b3109c\r\n2b49ceb658da03b30d38ee2dc46bcf2bb85af728cece29f8c30d7c1a92c1ad09\r\naf85ace1fd89e4c76efdda065cc2fc44de987bfd75f9f6850610327526c97d4b\r\n063ea8cd25e166182ef68ab1b1157e6448caccaa89cf0f0166c08c21501bf273\r\n9a19aa451bb9974c05e616bf02762ee001cc02669aca15150199415e5e190f01\r\n3c520028ad9dbf10e5a94023fbbd5ca7134802a6def3fae427f70620c12f8988\r\nbd9426beaee1c5908b0f71b31539ae4fe3ffed155ab00041b543d48fda3f1654\r\n6345b02dc1606522232ac853a0e2599d166aef91ae1d7f4d4104d184273dc1e8\r\nfeeddfb2a7cc4945eaedd8f75907c42ff097252c3e38d7ef2006bd7a191f09ae\r\nb15e4b4fcd9f0d23d902d91af9cc4e01417c426e55f6e0b4ad7256f72ac0231a\r\n7d2c98c8d667891c33119d314d1945c285e2a28701970532f6272cad91f59028\r\nf1fa42c3d50d4468b9ac3f7e5cdb1160c8f7ed7bbb6e4017859b837dac7e8d93\r\na2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba\r\ncb93d34f34e5e999705fd5d17d6725b452c57bc799fc835899e4af9330f4169f\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 19 of 23\n\nd2b24a51e7e12fded160344bbac9ee1a9082b690d0c6f326170ea8a224038215\r\naa5cb7f6ccb5470ff643cfcba9254263c9db9e7a84984d30166cc14945e219f2\r\n3b271f7f34255146366ab7c7d916fa5ab3b1accfc4b0f3d727e16690cfb7ad3a\r\n2f342c83cc564e0110f2c0a32a3259f0ef624cd47c50d82000b308411a402c17\r\n8ff356af97443bd2b028eb57f160a92c2a1ecab2d227977a87a221ae6409c4be\r\n1239ab2c5b8f4445353eacba276938c9cce9711a643851db8979728defc5a3ee\r\na63bce69103155accf3c836e7bedf155bee789276624def8713a4431d6562883\r\n1d256c2fd442e69120cdf8d12d7bd865f058ec667e2119a66259fc9052dbaa36\r\n9e398fb049ae1cf95976ba1c80280cb3f78833569fe7fc5c1ba93c7e57c00fac\r\n284458ee75b1d1c2f07ad9fe3a811589360c23092852b2b80a67d2e25e06b269\r\n2d8f91bb2359c13abf0ff31af101fc6ecb39849350fbfde015b549e97c8877d5\r\n7837e71f9bf00f48ab5336ed8647b116471561181069b79d29dbaee0e951ded7\r\n6a9e7b47bec075225861d61cf20555c38a17b7b9ff46ff85de7f6791c548cc2e\r\ncefc06b2bec8d175eaa9bf3f91c8246731811a8ad7b52af336478655dbc70039\r\n4aea930309b590d34488187a8c9cb31b83ff1faa2ff4d27606e50fac3a0db742\r\n975d1510380171076b122cd556a1a05bd1eca33b98a9fd003fb3662cb8c83571\r\n2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084\r\nFile hash (DarkGate)\r\n00985db874d9177de4a18999f7a420260b3a4665ba2b5b32aa39433ef79819df\r\n0f1545a7176c45b0e7f9198cac8972167e5846e8b84cd40926f7edf338eeace2\r\n10bfaeb0c00425c4749140d5c7d9f3d88537cf2f621ba7af5322b15cf205b896\r\n2b24c4c883a562d0326846ee1c92840144d1d755cdb721b24a35038ea92aa0e4\r\n6750f31ef5e1fe74c1121b0ab1308f93e09505a63322b6ce16fe04099ce8993e\r\n73c0d0f220a30b541e0855e8039b8050d1332ff03c3e0c8a35671bd5eb9d30be\r\n74729d4569691daf72e23849e91461471411f551639663e11e1091a48790611e\r\n74f21cf5ab72aad0f7f3cf3274a167c20e787f9513019510561f39d4230f3c4b\r\nbc5ad215876055a8a6a097579e16d24e233a323a6157afbb6db49705ac12a1f1\r\nbec37877e3bffa222efb5c5680c7defd2d917317293d7fa70e0882ad45290a40\r\ne7b76e11101e35c46a7199851f82c69e819a3d856f6f68fa3af0636c3efde0ca\r\n3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b\r\n0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5\r\n52c47a529e4ddd0778dde84b7f54e1aea326d9f8eeb4ba4961a87835a3d29866\r\nb0542a719c6b2fc575915e9e4c58920cf999ba5c3f5345617818a9dc14a378b4\r\ndadd0ec8806d506137889d7f1595b3b5447c1ea30159432b1952fa9551ecfba5\r\nc88eab30fa03c44b567bcb4e659a60ee0fe5d98664816c70e3b6e8d79169cbea\r\n2264c2f2c2d5a0d6d62c33cadb848305a8fff81cdd79c4d7560021cfb304a121\r\n3c68facf01aede7bcd8c2aea853324a2e6a0ec8b026d95c7f50a46d77334c2d2\r\na146f84a0179124d96a707f192f4c06c07690e745cffaef521fcda9633766a44\r\nabc35bb943462312437f0c4275b012e8ec03899ab86d353143d92cbefedd7f9d\r\n908f2dfed6c122b46e946fe8839feb9218cb095f180f86c43659448e2f709fc7\r\n3491bc6df27858257db26b913da8c35c83a0e48cf80de701a45a30a30544706d\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 20 of 23\n\n1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7\r\n567d828dab1022eda84f90592d6d95e331e0f2696e79ed7d86ddc095bb2efdc8\r\n99f25de5cc5614f4efd967db0dae50f20e2acbae9e98920aff3d98638b9ca1f1\r\nde3f49e68c45db2f31d1cc1d10ff09f8cfce302b92a1f5361c8f34c3d78544e5\r\n68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730ab\r\nd4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236\r\n5e94aa172460e74293db106a98327778ae2d32c6ce6592857a1ec0c581543572\r\nNetwork (C2 List)\r\ninfocatalog.pics\r\nbikeontop.shop\r\npositivereview.cloud\r\ndreamteamup.shop\r\nwhatup.cloud\r\nthebesttime.buzz\r\nmsteamseyeappstore.com\r\n107.181.161.200\r\n80.66.88.145\r\nprivate-edinmarketing.com\r\npositivereview.cloud\r\n167.114.199.65\r\nreactervnamnat.com\r\n89.248.193.66\r\nxfirecovery.pro\r\nnaserviceebaysmman.shop\r\n185.8.106.231\r\n149.248.0.82\r\n45.89.65.198\r\ndrkgatevservicceoffice.net\r\n5.188.87.58\r\n5.34.178.21\r\n185.39.18.170\r\n179.60.149.3\r\nsanibroadbandcommunicton.duckdns.org\r\nbikeontop.shop\r\nakamai.la\r\nhardwarenet.cc\r\nec2–14–122–45–127.compute-1.amazonaws.cdnprivate.tel\r\nawsamazon.cc\r\nbattlenet.la\r\na40–77–229–13.deploy.static.akamaitechnologies.pw\r\na-1bcdn.com\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 21 of 23\n\n185.143.223.64\r\navayacloud.com.global.prod.fastly.net\r\nintranet.mcasavaya.com\r\nonlysportsfitnessam.com\r\nmarketisportsstumi.win\r\ncoocooncookiedpo.com\r\nwmnwserviceadsmark.com\r\n161.35.113.5\r\nAppendix B. MITRE ATT\u0026CK\r\nInitial Access\r\nPhishing: Spearphishing Attachment (T1566.001)\r\nExecution\r\nUser Execution: Malicious File (T1204.002)\r\nPersistence\r\nBoot or Logon AutoStart Execution: Registry Run Keys / Startup Folder (T1547.001)\r\nPrivilege Escalation\r\nExploitation for Privilege Escalation (T1068)\r\nProcess Injection: Process Hollowing (T1055.012)\r\nDefense Evasion\r\nAccess Token Manipulation: Parent PID Spoofing (T1134.004)\r\nHijack Execution Flow (1574.002)\r\nIndicator Removal (T1070.004)\r\nProcess Injection: Process Hollowing (1055.012)\r\nCredential Access\r\nCredentials from Password Stores (T1555)\r\nCredentials from Web Browsers (T1555.003)\r\nSteal Application Access Token (T1528)\r\nSteal Web Session Cookie (T1539)\r\nDiscovery\r\nProcess Discovery (T1057)\r\nBrowser Information Discovery (T1217)\r\nFile and Directory Discovery (T1083)\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 22 of 23\n\nSystem Information Discovery (T1082)\r\nCollection\r\nArchive Collected Data: Archive via Utility (T1560.001)\r\nData from Local System (T1005)\r\nInput Capture: Keylogging (T1056.001)\r\nCommand and Control\r\nApplication Layer Protocol: Web Protocols (T1071.001)\r\nData Encoding: Non-Standard Encoding (T1132.002)\r\nRemote Access Software (T1219)\r\nExfiltration\r\nExfiltration Over C2 Channel (T1041)\r\nImpact\r\nSystem Shutdown/Reboot (T1529)\r\nSource: https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nhttps://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606"
	],
	"report_names": [
		"detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606"
	],
	"threat_actors": [],
	"ts_created_at": 1775791200,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc7db75a8ef443911a3ffabb1ef490ebf7b4a73e.pdf",
		"text": "https://archive.orkl.eu/bc7db75a8ef443911a3ffabb1ef490ebf7b4a73e.txt",
		"img": "https://archive.orkl.eu/bc7db75a8ef443911a3ffabb1ef490ebf7b4a73e.jpg"
	}
}