{
	"id": "184917df-d703-45f4-828a-4ad68aa01678",
	"created_at": "2026-04-06T00:21:05.451827Z",
	"updated_at": "2026-04-10T13:12:19.088534Z",
	"deleted_at": null,
	"sha1_hash": "f1de580f28306ed252940ed03d96784f19d0a08f",
	"title": "How To Decode Visual Basic (.vbs) Malware - DarkGate Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2333700,
	"plain_text": "How To Decode Visual Basic (.vbs) Malware - DarkGate Loader\r\nBy Matthew\r\nPublished: 2023-10-16 · Archived: 2026-04-05 17:09:37 UTC\r\nThis post will demonstrate a process for decoding and demystifying a simple darkgate loader .vbs script. This\r\nscript employs minimal obfuscation and is not particularly complex however it does deploy some decoy tactics\r\nwhich can be tricky to navigate and may throw off an inexperienced analyst.\r\nThis post will demonstrate some basic techniques for removing decoy code and identifying the final intended\r\nfunctionality of a malicious .vbs script.\r\nThe sample hash is 3a586493131b5a1784e7da751f12fd992bc41f300a28dcc5021d2127d33cb8bc and can be found on\r\nMalware Bazaar.\r\nInitial Analysis\r\nI have first downloaded the file and unzipped it using the password infected .\r\nInitial analysis with detect-it-easy shows that it is a plaintext file, so we can largely continue analysis with a text\r\neditor. I will be using notepad++.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 1 of 11\n\nAn initial review of the strings shows some comments suggesting that the file is related to a legitimate windows\r\ndriver script.\r\nThis is used to throw off an inexperienced analyst who may (in a rush) assume that the script is legitimate.\r\nReviewing a Malware Script Inside a Text Editor\r\nSince the file is in plaintext, we can proceed by opening the file in a text editor. This will allow us to investigate\r\nfurther and determine if the script is legitimate or contains some kind of malicious functionality.\r\nThe file initially looks something like this. Note how there is no text highlighting as the initial file did not have a\r\nfile extension.\r\nI always try to add text highlighting as it can significantly improve the readability of the script being analyzed.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 2 of 11\n\nWe can use the dropdown menu to enable visual basic highlighting.\r\nIt can be a slight art to know which language to choose for text highlighting. In this case i know to use\r\nvisual basic because of the use of ' at the start of each of the initial lines. This is the visual basic\r\nmethod of declaring a comment.\r\nAfter looking at a few scripts you'll get a feel for which language is which, usually based on comment\r\nstyles and the ways that variables are created. You an also just guess, incorrect highlighting is often\r\nbetter than no highlighting.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 3 of 11\n\nAfter enabling text highlighting, the script now looks significantly better. We can clearly see which lines are\r\ncomments and which lines contain code.\r\nThe initial piece of the script file contains a bunch of comments, these don't add to functionality at all and can be\r\nlater removed. They are essentially a decoy used to throw off strings analysis.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 4 of 11\n\nScrolling down, we can also see a bunch of variable creations. These also contain junk strings that don't add to\r\nfunctionality.\r\nScrolling down more, we can see a small blob of code that contains a url and appears to be slightly obfuscated.\r\nThis is the main piece of code that we are interested in.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 5 of 11\n\nCleaning up The script\r\nBefore analysing the \"malicious\" section, we can clean up the rest of the script. This makes it easier to view the\r\nmalicious section and can reveal other smaller malicious parts that may have been missed.\r\nTo do this, we will perform two actions.\r\nRemove the junk comments\r\nRemove the junk variables.\r\nTo remove the junk comments, we will use a simple regex and the replace function of notepad++ (CTRL+H).\r\nCleaning Up Malware Scripts Using Regex\r\nLet's break down that regex. The aim is to completely remove any line that starts with a ' comment.\r\n^ - only look at the start of each line\r\n' - look for a ' at the start of each line\r\n.* - grab everything that comes after the '\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 6 of 11\n\n\\r\\n - grab any newlines at the end of each line that we remove.\r\nAfter hitting enter, the script has been reduced to 143 lines instead of 191 . The initial part of the script now\r\nlooks like this.\r\nNot perfect, but much better.\r\nNow we want to remove the const variables, which largely appear to be junk.\r\nTo do this, we can add another regex. We can essentially re-use the same regex, swapping out the ' for a\r\nconst . This will completely remove any line that starts with const .\r\nAfter hitting enter, 87 lines are removed from the code.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 7 of 11\n\nThere are a few empty lines that don't add any value to the code. You can go ahead and remove these manually or\r\nwith a regex.\r\nThis leaves 34 lines left. and the script is significantly more readable than before.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 8 of 11\n\nNow it's relatively intuitive to see that a command is executed which calls out to the url and downloads a file.\r\nHowever, I will instead show some ways of cleaning up the file even further.\r\nManually Editing A Script To Improve Readability\r\nThe first step is to rename variables like this to something more meaningful.\r\nWe have renamed lxwpges to shell_application\r\nWe won't go into details about renaming every single variable. It largely doesn't matter what you pick, as long as\r\nthe new variable names provides some kind of meaning to you.\r\nHere is an example where we have renamed the remaining values.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 9 of 11\n\nIt's now easy to see the script contains the following \"True\" functionality.\r\nCreates a web request object\r\nPerforms some junk to display or not display a message box\r\nCreates a shell application object (used to launch commands)\r\nMakes a web request to a URL\r\nUses ShellExecute to execute the response from the web request. (indicating the result is most likely\r\nanother script)\r\nNow at this point, you could go ahead and perform some manual cleaning up. This would leave you with\r\nsomething like this.\r\nNow you could go ahead and analyse the malicious domain or go hunting for indications of successful execution\r\nin your environment. These indicators could be the domain/url, or potentially the command being executed by the\r\ncmd at the end.\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 10 of 11\n\nConclusion\r\nThe script is now cleaned up and significantly easier to read. We have removed basic forms of obfuscation used to\r\nthrow off analysis, and have reduced the script from 191 lines down to only 13 .\r\nAlthough this obfuscation was very basic, hopefully you've learnt a new technique or two for analysing script\r\nmalware.\r\nIf you found this useful, consider signing up for the site. Signing up will provide you with access to a discord\r\nserver, bonus content and early access to future posts.\r\nSign up for Embee Research\r\nMalware Analysis Insights\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nhttps://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/"
	],
	"report_names": [
		"decoding-a-simple-visual-basic-vbs-script-darkgate-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434865,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1de580f28306ed252940ed03d96784f19d0a08f.pdf",
		"text": "https://archive.orkl.eu/f1de580f28306ed252940ed03d96784f19d0a08f.txt",
		"img": "https://archive.orkl.eu/f1de580f28306ed252940ed03d96784f19d0a08f.jpg"
	}
}