MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
SHA3-384 hash: 6fdff2995823d216efda8af773927f02890d4e641f982be9b193c0553f047d6a42c4d080866a491113e0dc0c814b40fa
SHA1 hash: f3d67076e491ab59f33a06afcd00a42d9a344711
MD5 hash: 5e5704e30401f1ba9906e382f6a7c684
humanhash: lake-apart-blue-friend
File name:612b7a607a8e.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:8'900'608 bytes
First seen:2023-11-08 18:58:24 UTC
Last seen:2023-11-08 20:19:21 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:xeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9lqFM2CMhimhs4W:xdhVs6WXjX9HZ5AQX32WDuqRCMhif4W
TLSH T14E963330768D8635D18F2336825BE6923654BF100BA1C0CB2B94B97C3A717E6EF35796
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter malwarelabnet
Tags:DarkGate msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilMSI.PkillImAfraidOfUnregisteredMSIinstallers.20231026.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expand fingerprint hacktool installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/654bda763dd412119bf22dad/reports/4d1094f3-3803-4812-8c90-992d4ba6983c/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1339303
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339303 Sample: 612b7a607a8e.msi Startdate: 08/11/2023 Architecture: WINDOWS Score: 96 42 Found malware configuration 2->42 44 Yara detected DarkGate 2->44 46 Yara detected MailPassView 2->46 48 3 other signatures 2->48 8 msiexec.exe 8 17 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 28 C:\Windows\Installer\MSI626C.tmp, PE32 8->28 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 windbg.exe 3 13->15         started        19 expand.exe 11 13->19         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 30 C:\tmpa\Autoit3.exe, PE32 15->30 dropped 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->36 38 Contains functionality to register a low level keyboard hook 15->38 40 Contains functionality to modify clipboard data 15->40 25 Autoit3.exe 15->25         started        32 C:\...\bc8de4d068f7d840bd4feef62f2741ed.tmp, PE32 19->32 dropped 34 C:\...\06171d5f8e68df43ba7f68179b9cd6e5.tmp, PE32 19->34 dropped signatures8 process9 signatures10 50 Deletes shadow drive data (may be related to ransomware) 25->50 52 Contains functionality to modify clipboard data 25->52
Score:
99%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu3mehd7evn2cwlnu3u2o4nwdvisaejto32rtuj3gnrugnrpfnfa._file
Verdict:
malicious
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate botnet:plex discovery stealer
Link:
https://tria.ge/reports/231108-xm276adc31/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
DarkGate
Malware Config
C2 Extraction:
http://homeservicetreking.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments