DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
Sigma rule (View on GitHub)
1title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
2id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
3status: test
4description: |
5 Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
6 This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
7 process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
8 processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
9references:
10 - https://github.security.telekom.com/2023/08/darkgate-loader.html
11 - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
12 - https://github.com/pr0xylife/DarkGate/tree/main
13author: Micah Babinski
14date: 2023-10-15
15tags:
16 - attack.command-and-control
17 - attack.execution
18 - attack.t1105
19 - attack.t1059
20 - detection.emerging-threats
21logsource:
22 category: file_event
23 product: windows
24detection:
25 selection:
26 Image|endswith:
27 - '\Autoit3.exe'
28 - '\curl.exe'
29 - '\ExtExport.exe'
30 - '\KeyScramblerLogon.exe'
31 - '\wmprph.exe'
32 TargetFilename|endswith: '\Autoit3.exe'
33 condition: selection
34falsepositives:
35 - Unknown
36level: medium
References
-
-
Throughout Q2 2023, Kroll observed an uptick in cases where DARKGATE malware was delivered through Microsoft Teams messages as a form of phishing. Read more.
Read More -
Related rules
- Greenbug Espionage Group Indicators
- DarkGate - Autoit3.EXE Execution Parameters
- File Download From IP Based URL Via CertOC.EXE
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- Ursnif Redirection Of Discovery Commands