{
	"id": "15afdaea-7f5a-44de-9c67-5bf6390a97e7",
	"created_at": "2026-04-06T00:20:12.579339Z",
	"updated_at": "2026-04-10T13:11:58.155099Z",
	"deleted_at": null,
	"sha1_hash": "f496bd6b024cd286a4255a7ace6117a96bcc725c",
	"title": "Inside DarkGate: In-Depth Technical Analysis of the Malware-as-a-Service Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6716836,
	"plain_text": "Inside DarkGate: In-Depth Technical Analysis of the Malware-as-a-Service Threat\r\nBy Sapir Twig\r\nPublished: 2025-06-29 · Archived: 2026-04-05 16:26:25 UTC\r\nPress enter or click to view image in full size\r\nIntroduction\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 1 of 29\n\nIn this report, I present an extensive, step-by-step static analysis of a real-world sample of the DarkGate Remote\r\nAccess Trojan (RAT), a sophisticated and highly modular malware that has become emblematic of the Malware-as-a-Service (MaaS) threat landscape. Originally discovered in 2018, DarkGate has evolved to incorporate a broad\r\nspectrum of malicious capabilities, including but not limited to remote desktop control, credential theft,\r\nkeylogging, file exfiltration, cryptomining, and advanced anti-analysis features.\r\nGet Sapir Twig’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis document details my methodology, findings, and interpretations derived from a deep static analysis using\r\nopen-source tools. The goal is to illuminate both the technical mechanisms underlying DarkGate’s operations and\r\nthe analytical workflow required to dissect such a complex threat.\r\nSummary \u0026 Key Highlights\r\nIdentified advanced RAT capabilities, including keylogging, remote desktop control, credential theft,\r\naudio recording, and file exfiltration.\r\nPerforms in-memory code injection using NtWriteVirtualMemory , avoiding disk artifacts.\r\nImplements sophisticated anti-debugging and anti-forensics techniques, checking for common analysis\r\ntools.\r\nEstablishes stealthy C2 communication via dynamically loaded Winsock APIs, using legitimate-looking\r\nUser-Agent strings.\r\nLeverages cmdkey and NirSoft tools to exfiltrate browser and email credentials.\r\nAchieves persistence via registry keys, startup folders, and scripting tools like AutoHotkey/AutoIt.\r\nExtracted numerous IOCs, including registry keys, suspicious strings, filenames, directories, and network\r\nindicators.\r\nSample Details\r\nMD5 Hash: 2143d7603258b2801f7ed154b5da3da6\r\nSHA256 Hash: 3c64cbb7e7212d920322dae62665b05ceb63a0ad6074cac3ba518cedc5c6dd48\r\nFile Size: 64 bytes (suggesting a loader or dropper, clarified through further analysis)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 2 of 29\n\nFigure: DarkGate Malware Infection Flow\r\nMy workflow began with a high-level triage to understand the file’s structure, packing, and surface-level\r\ncapabilities, followed by a systematic function-by-function reverse engineering process to uncover deeper\r\nbehavioral logic and evasion techniques.\r\nStatic Analysis and Reverse Engineering Findings\r\n1. Initial File Assessment\r\nCompiler and Obfuscation:\r\nDIE identified Borland Delphi (Object Pascal) as the compiler, with no known commercial packers\r\ndetected. However, entropy analysis revealed a value of 6.51 in the CODE section, a strong indicator of\r\ncustom obfuscation or packing.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 3 of 29\n\nDetect It Easy — Malware information\r\nPress enter or click to view image in full size\r\nMalware entropy analysis\r\nAPI Imports and Capabilities:\r\nPeStudio highlighted the presence of APIs associated with process injection (WriteProcessMemory,\r\nCreateRemoteThread, VirtualAllocEx), keylogging (GetAsyncKeyState, keybd_event, GetCursorPos), file\r\nand clipboard manipulation (ReadFile, WriteFile, CreateFileA/W, OpenClipboard, GetClipboardData), and\r\naudio capture (waveInOpen, waveInStart). These imports collectively suggest a RAT with extensive\r\nsurveillance, data theft, and persistence capabilities.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 4 of 29\n\nDetected APIs indicate injection, key-logging, and data access capabilities - pestudio\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 5 of 29\n\nMalware imports table - IDA\r\n2. Registry and Environment Inspection\r\nOne of the earliest behaviors observed is the malware’s access to the Windows registry, specifically targeting the\r\nkey SOFTWARE\\Borland\\Delphi\\RTL and querying the value FPUMaskValue using RegOpenKeyExA and\r\nRegQueryValueExA. This serves multiple purposes:\r\nConfiguration Retrieval: Potentially fetching runtime configuration or operational parameters.\r\nAnti-Analysis: Checking for specific registry values may help the malware identify analysis environments\r\nor sandboxes.\r\nAttribution: The focus on Borland Delphi keys further confirms the compiler and development\r\nenvironment used for the malware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 6 of 29\n\nRegistry read from Delphi-specific key via RegQueryValueExA\r\n3. Path Manipulation and Anti-Static Analysis\r\nThe function sub_405A20 is dedicated to resolving and manipulating filesystem paths. By dynamically loading\r\nGetLongPathNameA from kernel32.dll at runtime, DarkGate avoids static detection of its API usage. The function\r\nconverts short DOS-style paths to their canonical long forms and verifies their existence using FindFirstFileA. It\r\nalso handles UNC paths (\\\\server\\share), suggesting readiness for network propagation or interaction with shared\r\nresources. The use of conditional logic and string operations (lstrcpynA) reveals a deliberate effort to evade static\r\nanalysis and adapt to varying system configurations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 7 of 29\n\nUses GetLongPathNameA and FindFirstFileA to resolve file paths dynamically\r\n4. Process and Memory Enumeration\r\nThe routine sub_40F7C8 demonstrates DarkGate’s advanced system reconnaissance abilities. By dynamically\r\nresolving APIs such as CreateToolhelp32Snapshot, Process32First/Next, Thread32First/Next,\r\nModule32First/Next, and Toolhelp32ReadProcessMemory, the malware gains the ability to:\r\nEnumerate all running processes, threads, and loaded modules.\r\nRead memory from other processes, laying the groundwork for process injection, credential theft, and\r\nlateral movement.\r\nEvade static detection by resolving these APIs only at runtime, a hallmark of sophisticated malware.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 8 of 29\n\nToolHelp32 APIs resolved at runtime to enumerate system components\r\n5. Variant and COM Data Handling\r\nThe function sub_410028 loads numerous OLE automation APIs (e.g., VariantChangeTypeEx, Var*FromStr,\r\nVarBstrFrom* from oleaut32.dll). This empowers DarkGate to:\r\nSeamlessly convert and process various data types (numbers, dates, strings).\r\nInteract with COM objects and potentially parse complex C2 commands.\r\nEnhance its adaptability and flexibility in handling data received from or sent to its operators, making it\r\nmore resilient to changes in C2 protocols or payload formats.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 9 of 29\n\nLoads Variant APIs from oleaut32.dll to parse dynamic data types\r\n6. Security Software Evasion\r\nDarkGate systematically checks for directories and files associated with a wide array of antivirus products\r\n(Bitdefender, SentinelOne, Avast, AVG, Kaspersky, Norton, Symantec, Trend Micro, McAfee, SUPER\r\nAntiSpyware, Comodo, MalwareBytes, among others). This is a classic evasion technique:\r\nDetection Avoidance: If security software is detected, DarkGate may alter its behavior, disable certain\r\nfeatures, or even uninstall itself to avoid detection.\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 10 of 29\n\nPersistence: By ensuring it does not operate in hostile environments, the malware increases its chances of\r\nlong-term persistence.\r\nPress enter or click to view image in full size\r\nChecks for antivirus and forensic tools in system directories\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 11 of 29\n\n7. Stealthy Network Communication\r\nThe function sub_41CAC0 dynamically loads Winsock APIs (WSAStartup, send, recv) from ws2_32.dll at\r\nruntime. This approach:\r\nEvasion: Avoids static detection by security solutions scanning for networking imports.\r\nFlexibility: Allows the malware to establish covert C2 channels, exfiltrate data, and receive commands\r\nwhile blending in with legitimate network traffic.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 12 of 29\n\nWinsock APIs resolved dynamically\r\nFurthermore, DarkGate crafts its C2 traffic to mimic legitimate web traffic by:\r\nUsing port 8080 (commonly associated with web services).\r\nEmbedding a full “Mozilla/5.0…” User-Agent string.\r\nThis enables its malicious communications to blend seamlessly into normal web traffic, significantly\r\nincreasing its chances of bypassing network security measures.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 13 of 29\n\nHTTP headers mimic browser traffic\r\n8. Code Injection and Memory Residency\r\nThe function sub_427EE4 leverages low-level Windows APIs (NtWriteVirtualMemory, NtProtectVirtualMemory)\r\nto inject malicious code into other processes. This technique:\r\nIn-Memory Execution: Allows the malware to run without ever touching disk, making detection and\r\nforensic analysis much more difficult.\r\nPersistence: Maintains control over the infected system even if the original process is terminated.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 14 of 29\n\nInjects shellcode using NtWriteVirtualMemory \u0026 runs in-memory.\r\n9. Persistence Mechanisms\r\nDarkGate ensures its continued execution through multiple persistence strategies:\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 15 of 29\n\nFile System: Uses SHGetSpecialFolderPathW with CSIDL_STARTUP and CSIDL_DESKTOP to locate\r\nstandard Windows directories, then moves or copies itself using SHFileOperationW to these locations for\r\nautomatic execution on startup or user login.\r\nRegistry: Attempts to create entries under SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to\r\nguarantee launch at every system boot.\r\nScripted Execution: Tries to run AutoHotkey.exe or AutoIt3.exe with malicious scripts, leveraging\r\nlegitimate automation tools to evade detection and facilitate persistence.\r\nPress enter or click to view image in full size\r\nSHGetSpecialFolderPathW and SHFileOperation used for startup persistence.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 16 of 29\n\nAutoHotkey.exe or AutoIt3.exe with malicious scripts\r\n10. Anti-Debugging and Anti-Analysis\r\nDarkGate employs a robust set of anti-analysis techniques:\r\nDebugger Detection: The function sub_42D594 checks for the presence of debugging tools, introduces\r\nexecution delays (Sleep), and manipulates files/processes to frustrate analysis.\r\nSecurity Tool Scanning: The function sub_42DB04 searches for popular security and analysis tools\r\n(Malwarebytes, Avast, Wireshark, Process Monitor, Autoruns, Task Manager, Regedit, etc.) in multiple\r\nlanguages. If found, the malware may terminate, hide, or alter its behavior to avoid detection, significantly\r\ncomplicating the work of analysts.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 17 of 29\n\nsub_42D594 checks for the presence of debugging tools\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 18 of 29\n\nDarkGate checks for tools like Wireshark, ProcMon, and Regedit. The code includes delays (Sleep)\r\nand behavior change triggers if tools are detected.\r\nPress enter or click to view image in full size\r\n11. Configuration and Debug Modes\r\nThe initialization routine sub_42F7A0 sets up operational directories within C:\\ProgramData\\ (e.g., mainfolder,\r\nlogsfolder, settings). It checks for a “debug mode” flag and attempts to connect to 127.0.0.1:8094 — likely a local\r\nC2 test or fallback channel. If debug mode is disabled, it loads configuration parameters (such as C2 domains,\r\nnotification settings, and epoch values) from files or the registry, validating port values and preparing for\r\nsubsequent network communication.\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 19 of 29\n\nPress enter or click to view image in full size\r\nThe screenshot shows 127.0.0.1:8094 being used as a potential debug/test C2\r\n12. Browser Data and Cookie Theft\r\nDarkGate aggressively targets browser data:\r\nDirectory Scanning: Searches for “chrome”, “edge”, and “brave” directories, specifically seeking “User\r\nData” and “Default\\Network\\Cookies” paths.\r\nProfile Iteration: Iterates through multiple browser profiles to locate and exfiltrate cookies.\r\nSession Hijacking: By stealing cookies, DarkGate can bypass password-based authentication, enabling\r\nattackers to hijack user sessions on various platforms without needing actual credentials.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 20 of 29\n\nThis function locates browser profiles and cookie storage paths ( Network\\\\Cookies ) for\r\nexfiltration\r\n13. Browser Manipulation and Cleanup\r\nThe function sub_456268 manages directories associated with Firefox, Chrome, Brave, and Opera. It uses\r\ncmd.exe to move or rename browser directories and delete files, employing Sleep calls to wait for completion.\r\nThis serves multiple purposes:\r\nData Theft: Steals browser data before cleanup.\r\nAnti-Forensics: Deletes evidence to hinder recovery and post-infection analysis.\r\nAdaptability: The use of generic directory operations allows the malware to operate across different\r\nbrowser installations and user environments.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 21 of 29\n\nThe malware uses cmd.exe to rename or delete browser directories\r\n14. Credential Theft via cmdkey and NirSoft Tools\r\nWindows Credentials:\r\nThe subroutine sub_456720 interacts directly with Windows credential management using cmdkey. It lists\r\ncredentials to a temporary file and then deletes them, logging actions and waiting for operations to\r\ncomplete. This is a clear data exfiltration step, targeting stored Windows credentials for lateral movement\r\nor privilege escalation.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 22 of 29\n\nDarkGate uses cmdkey to extract and delete Windows credentials.\r\nBrowser and Email Credentials:\r\nThe functions sub_4571CC and sub_45726C automate the use of NirSoft’s Mail PassView and\r\nWebBrowserPassView, extracting stored passwords from email clients and web browsers. This\r\ndemonstrates DarkGate’s ability to leverage legitimate tools for malicious purposes, maximizing credential\r\ntheft with minimal custom code.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 23 of 29\n\nWaveIn API calls (e.g., waveInOpen ) initialize audio capture from the system microphone\r\n15. Audio Recording\r\nThe function sub_4577E0 enables DarkGate to record audio from the victim’s microphone. By calling Windows\r\nmultimedia APIs (waveInOpen, waveInPrepareHeader, waveInAddBuffer), the malware initializes audio input,\r\nsets up buffers, and starts capturing sound. This capability extends DarkGate’s surveillance reach, allowing\r\nattackers to eavesdrop on conversations and ambient sounds in the victim’s environment.\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 24 of 29\n\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 25 of 29\n\nWaveIn API calls (e.g., waveInOpen ) initialize audio capture from the system microphone\r\nDarkGate Malware — Key Functions and Capabilities\r\n| Function | Purpose | API Usage\r\n|----------------|----------------------------------------|------------------------------------------\r\n| sub_405A20 | Path resolution \u0026 evasion | `GetLongPathNameA`, `FindFirstFileA`, `ls\r\n| sub_40F7C8 | Process/thread/module enumeration | `CreateToolhelp32Snapshot`, `Process32Fi\r\n| sub_410028 | COM and data type handling | `VariantChangeTypeEx`, `VarBstrFromStr`,\r\n| sub_41CAC0 | C2 communication setup | `WSAStartup`, `send`, `recv`, HTTP heade\r\n| sub_427EE4 | Code injection \u0026 memory execution | `NtWriteVirtualMemory`, `NtProtectVirtual\r\n| sub_42D594 | Anti-debugging detection | `Sleep`, debugger tool checks\r\n| sub_42DB04 | Anti-analysis \u0026 security tool scanning | Strings: `Wireshark`, `Procmon`, `Regedit\r\n| sub_42F7A0 | Debug mode \u0026 configuration loading | `CreateDirectoryW`, `GetPrivateProfileSt\r\n| sub_456720 | Windows credential theft | `cmdkey /list`, file output, `cmdkey /del\r\n| sub_4571CC | Browser credential theft | `Mail PassView`, `WebBrowserPassView` aut\r\n| sub_45726C | Email password theft | `Mail PassView` usage\r\n| sub_4577E0 | Audio recording from microphone | `waveInOpen`, `waveInStart`, `waveInAddBu\r\n| sub_456268 | Browser data deletion \u0026 cleanup | `cmd.exe`, `del`, `move`, `Sleep`\r\n| sub_42C98C | Persistence via filesystem | `SHGetSpecialFolderPathW`, `SHFileOperati\r\n| sub_42E03C | Persistence via AutoHotkey | `AutoHotkey.exe`, `.ahk`/`.a3x` scripts,\r\nMITRE ATT\u0026CK Mapping\r\n| MITRE ID | Technique | Description\r\n|--------------|-------------------------------------------|-----------------------------------------\r\n| T1566.001 | Phishing: Spearphishing Attachment | Initial infection via malicious email w\r\n| T1059.005 | Command \u0026 Scripting: AutoIt | Uses AutoIt scripts for persistence and\r\n| T1055 | Process Injection | Injects shellcode using NT API calls.\r\n| T1027 | Obfuscated Files or Information | High entropy and dynamic API resolution\r\n| T1562.001 | Disable or Modify Tools | Detects tools like Wireshark and Proces\r\n| T1056.001 | Input Capture: Keylogging | Logs keystrokes and cursor activity.\r\n| T1555.003 | Credentials from Web Browsers | Extracts saved passwords using NirSoft\r\n| T1005 | Data from Local System | Harvests cookies and credential files f\r\n| T1071.001 | Application Layer Protocol: Web Protocols | C2 communication over HTTP using spoofe\r\n| T1547.001 | Registry Run Keys / Startup Folder | Establishes persistence via registry an\r\n| T1123 | Audio Capture | Records audio through Windows multimedi\r\nDarkGate IOCs List\r\nRegistry Keys\r\nSOFTWARE\\Borland\\Delphi\\RTL\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 26 of 29\n\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nControl Panel\\Desktop\\WindowMetrics\r\nPersistence \u0026 Execution Artifacts\r\nAutoHotkey.exe\r\nAutoit3.exe\r\nMicrosoft\\Windows\\Start Menu\\Programs\\Startup\\\r\nCredential and Data Theft\r\ncmdkey /list \u003e\r\ncmdkey /delete:\r\nMail PassView, MailPassView\r\nNetwork Password Recovery\r\nNetPass\r\nDefault\\Network\\Cookies\r\nGoogle\\Chrome\\User Data\\\r\nBraveSoftware\\Brave-Browser\\User Data\\\r\nMicrosoft\\Edge\\User Data\\\r\nMozilla\\\r\nOpera Software\r\nAV/EDR Detection \u0026 Evasion\r\nBitdefender\r\nAvast\r\nAVG\r\nKaspersky\r\nNorton\r\nPanda Security\r\nMalwareBytes\r\nSentinelOne\r\nESET\r\nAvira\r\nF-Secure\r\nMcAfee\r\nComodo\r\nIObit Malware Fighter\r\nEmsisoft\r\nQuick Heal\r\nG DATA\r\nSophos\r\nByteFence\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 27 of 29\n\nFile System \u0026 Temporary Artifacts\r\nC:\\Program Files\\Bitdefender\r\nC:\\Program Files\\AVAST Software\r\nC:\\Program Files\\AVG\r\nC:\\Program Files\\Kaspersky Lab\r\nC:\\Program Files\\Malwarebytes\r\nC:\\Program Files\\SentinelOne\r\nC:\\Program Files (x86)\\Avira\r\nC:\\Program Files (x86)\\F-Secure\r\nC:\\Program Files\\Quick Heal\r\nC:\\Program Files\\ESET\r\nC:\\Program Files\\Emsisoft\r\nC:\\Program Files\\G DATA\r\nC:\\Program Files\\Sophos\r\nC:\\ProgramData\\Bitdefender\r\nC:\\ProgramData\\AVAST\r\nC:\\ProgramData\\AVG\r\nC:\\ProgramData\\Kaspersky Lab\r\nC:\\ProgramData\\ESET\r\nC:\\ProgramData\\Emsisoft\r\nC:\\ProgramData\\G DATA\r\nC:\\ProgramData\\Sophos\r\nC:\\temp\\\r\nCommand-Line \u0026 Process Injection\r\n/c cmdkey /list \u003e\r\n/c cmdkey /delete:\r\n/c del /q /f /s\r\n/c ping 127.0.0.1 \u0026 del /q /f /s c:\\temp \u0026 del /q /f /s\r\n/c cd /d \\\r\n/c shutdown -f -r -t 0\r\n/c shutdown -f -s -t 0\r\nC2 Communication \u0026 Network\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/118.0.0.0 Safari/537.36 (User-Agent)\r\nHTTP/1.0, HTTP/\r\nAuthorization: Basic\r\nProxy-Authorization: Basic\r\n127.0.0.1\r\n0.0.0.0\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 28 of 29\n\n255.255.255.255\r\nOther Notable Strings\r\n:::Clipboard::: (clipboard data marker)\r\n.0xCrypt (potential cryptographic or obfuscation marker)\r\nBuild\r\nEPOCH\r\nNOTIFICATIONS\r\nFile Names and Dropped Artifacts\r\nccleaner, system config, malwarebytes, farbar recovery, avast, startup, rootkit, autoruns, editor de registro,\r\neditor del registro, registry editor, gerenciador de tarefas, zhpcleaner, task manager, junkware removal,\r\nadministrador de tareas, hijackthis, tcpview, process monitor, wireshark, taskmanager\r\nPhishing and lure files: Navigating Future Changes October 2023.pdf.msi, clarify_27-May_{6 random\r\ndigits}.html, Job description_salary_policy_marketing products_new_list_2023.zip\r\nTemporary/working directories: C:\\test\\, C:\\ProgramData\\cccddcb\\\r\nConclusion\r\nDarkGate is a stealthy and modular malware that combines persistence, credential theft, and evasion in a compact\r\nMaaS package. Even with static analysis alone, it was possible to uncover key capabilities like AutoIt-based\r\npersistence, C2 communication, and data exfiltration. These findings highlight the malware’s sophistication and\r\nthe value of manual reverse engineering.\r\nReferences\r\nSource: MalwareBazaar\r\nVirusTotal Report: View on VT\r\nInitial Behavior: Sandbox execution (ANY.RUN) shows immediate downloader behavior, rapid\r\npersistence establishment, and swift command-and-control (C2) initiation within seconds of launch.\r\nSource: https://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2\r\nPage 29 of 29\n\nhttps://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2   \nsub_42D594 checks for the presence of debugging tools\nPress enter or click to view image in full size \n   Page 18 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@sapirtwig/inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2"
	],
	"report_names": [
		"inside-darkgate-in-depth-technical-analysis-of-the-malware-as-a-service-threat-76f32d51e2d2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434812,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f496bd6b024cd286a4255a7ace6117a96bcc725c.pdf",
		"text": "https://archive.orkl.eu/f496bd6b024cd286a4255a7ace6117a96bcc725c.txt",
		"img": "https://archive.orkl.eu/f496bd6b024cd286a4255a7ace6117a96bcc725c.jpg"
	}
}