← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service
WHITE AlienVault 2024-02-29 Modified: 2024-03-30
21
IOCs
MEDIUM VOLUME
This report analyzes a phishing PDF that led to the delivery of a signed MSI file containing layered stages designed to avoid detection and deliver the DarkGate malware for persistence and remote access. The analysis covers extracting and decrypting the stages to uncover the final payload.
extractionmsievasiondecryptionphishingdarkgatepdf
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
DarkGate
Indicators of Compromise (21)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 c56b5f0201a3b3de53e561fe76912bfd 2024-02-29
FileHash-MD5 d82b3fb861129c5d71f0cd2874f97216 2024-02-29
FileHash-SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417 2024-02-29
FileHash-SHA1 f3fe341d79224126e950d2691d574d147102b18d 2024-02-29
FileHash-SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c 2024-02-29
FileHash-SHA256 17158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724 2024-02-29
FileHash-SHA256 2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236 2024-02-29
FileHash-SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d 2024-02-29
FileHash-SHA256 2693c9032d5568a44f3e0d834b154d823104905322121328ae0a1600607a2175 2024-02-29
FileHash-SHA256 599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882 2024-02-29
FileHash-SHA256 693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a 2024-02-29
FileHash-SHA256 91274ec3e1678cc1e92c02bc54a24372b19d644c855c96409b2a67a648034ccf 2024-02-29
FileHash-SHA256 ee1ffb1f1903746e98aba2b392979a63a346fa0feab0d0a75477eacc72fc26a6 2024-02-29
FileHash-SHA256 f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929 2024-02-29
FileHash-SHA256 f7e97b100abe658a0bad506218ff52b5b19adb75a421d7ad91d500c327685d29 2024-02-29
URL http://95.164.63.54/documents/build-x64.zip/build-x64.msi 2024-02-29
URL https://binary.ninja/ 2024-02-29
URL https://legroom.net/software/uniextract 2024-02-29
URL https://x64dbg.com/ 2024-02-29
domain prodomainnameeforappru.com 2024-02-29
domain selectwendormo9tres.com 2024-02-29
References (1)
↗ https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700