Date: 09/06/2024
Severity: High
Summary
DarkGate is a comprehensive toolkit that equips attackers with extensive tools to fully compromise victim systems. As a loader and botnet malware, DarkGate has been in circulation since 2017.
Indicators of Compromise (IOC) List
Message / c2 communication | zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+= |
Registry Keys and Path | Software\Microsoft\Windows\CurrentVersion\Internet Settings — Key: ProxyEnable — Key: ProxyServer |
Process Creation | "/c c:\\temp\\PsExec.exe -accepteula -i" |
Hash |
1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Message / c2 communication | resourceName = "Sysmon" AND message like "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=" |
Message / c2 communication | technologygroup = "EDR" AND message like "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+= |
Registry Keys and Path | (resourcename = "Windows Security" AND eventtype = "4657" ) AND objectname In ("Software\Microsoft\Windows\CurrentVersion\Internet Settings" , "ProxyEnable" , "ProxyServer") |
| Registry Keys and Path | technologygroup = "EDR" AND objectname In ("Software\Microsoft\Windows\CurrentVersion\Internet Settings" , "ProxyEnable" , "ProxyServer") |
Process Creation | (resourceName = "Windows Security" AND eventtype = "4688" ) AND commandline = "/c c:\\temp\\PsExec.exe -accepteula -i" |
| Process Creation | technologygroup = "EDR" AND commandline = "/c c:\\temp\\PsExec.exe -accepteula -i" |
Hash |
sha256hash IN ("1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7") |
Reference:
https://gurucul.com/blog/darkgate-malware/