MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12
SHA3-384 hash: f4ba9a7098109984a01da6c6df9ec0ca1162675663762103a86f227a9429ccf2c4e7f9a9fbbe85227f4cf5d59bdb0c48
SHA1 hash: c90d572f7f160dd8a3ae6e825eeb2a9d6628cef5
MD5 hash: 4159d454a06b07465a42fdc2ed3d1575
humanhash: california-pennsylvania-bakerloo-vermont
File name:S_install_x86.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:2'347'008 bytes
First seen:2023-09-14 07:03:34 UTC
Last seen:2023-09-14 12:37:30 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:kpUPh1lqpM8LVFlZRUGJGV0Ar3mhAijKtORfjBHbioVvboWQRJna:kpg1pejUoGa1HWuvmJa
Threatray 661 similar samples on MalwareBazaar
TLSH T1B5B5235136C9C137E69F1736457AC7A6126ABC205B30C0CFABA13D5D5B32BD2AE39312
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:178-236-247-102 DarkGate msi PFO GROUP LLC

Intelligence

File Origin
# of uploads :
3
# of downloads :
160
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448553/
Detection(s):
MiscreantPunch.SingleXOR.EXE.243.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
expand fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/6502b06425e2ece4df6d9a09/reports/f28936d0-af39-4763-9521-c12c2e39861f/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12
Result
Threat name:
DarkGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1307693
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Opens the same file many times (likely Sandbox evasion)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DarkGate
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307693 Sample: S_install_x86.msi Startdate: 14/09/2023 Architecture: WINDOWS Score: 72 73 Yara detected DarkGate 2->73 75 Connects to many ports of the same IP (likely port scanning) 2->75 77 Contains functionality to modify clipboard data 2->77 10 msiexec.exe 8 19 2->10         started        13 Autoit3.exe 2->13         started        15 msiexec.exe 5 2->15         started        process3 file4 63 C:\Windows\Installer\MSIA882.tmp, PE32 10->63 dropped 65 C:\Windows\Installer\MSIA610.tmp, PE32 10->65 dropped 17 msiexec.exe 5 10->17         started        19 cmd.exe 1 13->19         started        process5 process6 21 KeyScramblerLogon.exe 2 17->21         started        25 expand.exe 23 17->25         started        27 icacls.exe 17->27         started        29 icacls.exe 17->29         started        file7 53 C:\Users\user\AppData\Local\...\Autoit3.exe, PE32 21->53 dropped 85 Contains functionality to detect sleep reduction / modifications 21->85 31 Autoit3.exe 8 21->31         started        55 C:\Users\user\...\keyscrambler.sys (copy), PE32 25->55 dropped 57 C:\Users\user\...\Uninstall.exe (copy), PE32 25->57 dropped 59 C:\Users\user\...\QFXUpdateService.exe (copy), PE32 25->59 dropped 61 13 other files (none is malicious) 25->61 dropped signatures8 process9 file10 67 C:\temp\AutoIt3.exe, PE32 31->67 dropped 71 Contains functionality to modify clipboard data 31->71 35 cmd.exe 6 31->35         started        40 TabTip32.exe 31->40         started        signatures11 process12 dnsIp13 69 178.236.247.102, 27850, 9999 PRANET-ASRU Russian Federation 35->69 51 C:\ProgramData\kkdecbe\Autoit3.exe, PE32 35->51 dropped 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->79 81 Opens the same file many times (likely Sandbox evasion) 35->81 83 Creates a thread in another existing process (thread injection) 35->83 42 TabTip32.exe 35->42         started        45 TabTip32.exe 35->45         started        47 TabTip32.exe 40->47         started        49 TabTip32.exe 40->49         started        file14 signatures15 process16 signatures17 87 Opens the same file many times (likely Sandbox evasion) 42->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12/
Threat name:
Win32.Trojan.Darkgate
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 07:04:07 UTC
File Type:
Binary (Archive)
Extracted files:
131
AV detection:
7 of 21 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=brbttde3mq4ch6dzvkvc4pgj6rirzmpek2d36zzyckwfl5jh74ja._file
Verdict:
malicious
Similar samples:
0e01bad874c61d09d09ce06f76f5e46f6648a1fc943644874c8e1a53a93af9a7
DarkGate
2eede34adc2a44e96acfdfb9f3dfba2df4ad17f9fdf76970ad02d5596c1a50a5
DarkGate
5b608a6729343cf8b6752d5bb201f906920fcb472f5949e04173b907f65ceff1
DarkGate
5be83d13f20b4a044a8c8281d13723a808555cdd73a7ddcec37422a4e44fbd4e
DarkGate
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
DarkGate
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3
DarkGate
+ 651 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/230914-hvx6vacg37/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

Microsoft Software Installer (MSI) msi 0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/448553/
  
URLhaus
https://urlhaus.abuse.ch/url/2711688/
  
Delivery method
Distributed via web download

Comments