DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	DarkGate - S1111 (6f6f67c9-556d-4459-95c2-78d272190e52)	Malware	1
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	2
Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
AutoHotKey & AutoIT - T1059.010 (3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2