MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
SHA3-384 hash: 3fca9a5a67684fa6f26d9c922c5856430c5b60df739aa9e26a5580e30401854cb7afd9f30c63ff4d2d7c776966c335c8
SHA1 hash: c983b7dff2ea4c63f3944e639eb54d0e6b0b655f
MD5 hash: 2999391319cda1be5dacfaf5b05062b2
humanhash: lake-fruit-fanta-zulu
File name:build-x64.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:6'094'848 bytes
First seen:2024-02-14 12:55:44 UTC
Last seen:2024-02-14 14:31:13 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q
TLSH T135566CAB62D88969D01FD2BAC0D2CB03D433F47637F281E7335162753AA65D90E7E258
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter e24111111111111
Tags:DarkGate msi signed

Code Signing Certificate

Organisation:Inoellact EloubantTech Optimization Information Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2024-01-26T09:28:10Z
Valid to:2025-01-26T09:28:10Z
Serial number: 0aee6c4fc643b7b43c38160b
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: de354ff5d2b027b54979b5c99a805fe90c74ac65221498ff4069569e8a81dfc6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
e24111111154168
http://95.164.63.54/documents/build-x64.zip/build-x64.msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476138/
Detection(s):
SecuriteInfo.com.Win64.InjectorX-gen.30355.5447.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
alien expand fingerprint hook installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/65ccb86890a5367ac0c4c845/reports/92a826ac-dc38-4b1d-b6ef-218f0e8840f0/overview
Verdict:
Malicious
Labled as:
Trojan.OLE2.Alien
Link:
https://www.hybrid-analysis.com/sample/3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1392124
Signature
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1392124 Sample: build-x64.msi Startdate: 14/02/2024 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected DarkGate 2->46 48 3 other signatures 2->48 8 msiexec.exe 12 20 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 28 C:\Windows\Installer\MSIB0CA.tmp, PE32 8->28 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 iTunesHelper.exe 4 13->15         started        19 expand.exe 6 13->19         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 30 C:\temp\Autoit3.exe, PE32 15->30 dropped 40 Detected unpacking (creates a PE file in dynamic memory) 15->40 25 Autoit3.exe 3 15->25         started        32 C:\Users\user\...\iTunesHelper.exe (copy), PE32+ 19->32 dropped 34 C:\Users\user\...\CoreFoundation.dll (copy), PE32+ 19->34 dropped 36 C:\...\2346fec950654246b420719b388cdc3c.tmp, PE32+ 19->36 dropped 38 C:\...\089c89a63e299e47a090a1b90ab25e9c.tmp, PE32+ 19->38 dropped signatures8 process9 signatures10 50 Machine Learning detection for dropped file 25->50 52 Contains functionality to inject threads in other processes 25->52 54 Contains functionality to inject code into remote processes 25->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e/
Threat name:
Win64.Trojan.Darkgate
Create hunting rule
Status:
Malicious
First seen:
2024-02-14 06:41:20 UTC
File Type:
Binary (Archive)
Extracted files:
62
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hp4zqecrbqmxxhgw4q2nsvaxkfo3yqxzjmi3x6mrn3awabtow57a._file
Verdict:
malicious
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate discovery stealer
Link:
https://tria.ge/reports/240214-p6cgvaba9w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Modifies file permissions
DarkGate
Detect DarkGate stealer
Malware family:
DarkGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bf99810510c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkGate

zip 63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13

DarkGate

Microsoft Software Installer (MSI) msi 3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/476138/
  
Dropped by
SHA256 63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13
  
Dropped by
MD5 9c743eed9f08294c6cb4f091bfcc9d5a

Comments