Hi, having decrypted and detonated this sample that was received at the first stage of delivery,

I noticed some features of http that can be used for detection. For example, the same user agent, lifetime and what is interesting is the use of a capital letter in the content description:

I did not hardcode the port since there is also a request for 8080.
The body of the request now looks slightly different due to the use of substitution encryption and I always had 102 bytes, the first 32 of which are MD5 from system information. Previously this was an ID parameter. You can also use it at your discretion.

pcre: "/^[A-Ma-h]{32}[a-zA-Z0-9=]{6}(.)[a-zA-Z0-9=]{23}\1[a-zA-Z0-9=]{39}$/";

The proposed rule is as follows:

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkGate Check-In HTTP header";
flow: established, to_server; 

content: "POST"; 

content: "Keep-Alive: 300"; distance: 0; 
content: "Connection: keep-alive"; distance: 0; 
content: "Content-Type: Application/octet-stream"; distance: 0; 
content: "Content-Length: "; 
byte_test: 0, >, 40, 0, relative, string, dec;
byte_test: 0, <, 750, 0, relative, string, dec;

content: "|0d0a|Host|0d 0a|Keep-Alive|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith;

content: "Mozilla/4.0 (compatible|3b| Synapse)"; bsize: 33; 

reference: md5,4d26c05426247f7a4f784967c7b0faa2;
reference: url,app.any.run/tasks/fb92bcf3-3413-4bca-807a-fb002ac48b18;
classtype: command-and-control;
sid: 1; rev: 1;)


A colleague just sent me this request, it contains 46 bytes, and of course it matches only the first 32 bytes of the regular expression.


After reviewing the research, I dare to suggest much more content in the data section.

I hope that you will have more traffic to prevent unnecessary checks.
Cheers, Jane (βŒβŠ™_βŠ™)

1 Like

Downloaded from triage and launched in any_run:

1 Like

Hey Jane!

Thanks for the sweet sig! The only thing I added was a threshold limit because @malware_traffic identified traffic that matches your sig and some hosts were creating a frequent amount of requests. Have a great weekend!

2048558 - ET MALWARE [ANY.RUN] DarkGate Check-In HTTP Header (POST)

Isaac :zombie: