MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816
SHA3-384 hash: 1ea063ef4198de7ec936494aa534cff449052deb791062ce79d80bdf3f8ef9a72568078561b58b5f76b337b281f52807
SHA1 hash: 29b6a8ae869cdc1a95bae83dd97874e5efa79613
MD5 hash: 608521a573ca80a1ba6e08a79dd9b899
humanhash: king-west-march-iowa
File name:no_halt_opts_enabled.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:1'921'024 bytes
First seen:2023-07-22 19:31:12 UTC
Last seen:2023-07-25 13:13:14 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:HpUP99FBJZEH1X1arF0EK/2ZIL/8up2yb:Hp82H1X6
Threatray 15 similar samples on MalwareBazaar
TLSH T14F95BF0333848125FF9B6DB38A5AA35786743C293223715F4F983E6D99B0173677A632
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Xev
Tags:DarkGate msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/429332/
Detection(s):
SecuriteInfo.com.W32.Blackie.AV.gen.Eldorado.8828.14247.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.Blackie.AS.gen.Eldorado.20826.717.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
alien expand fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/64bc2eb32c2ccb7094429ada/reports/48f32e0d-337d-4abc-a5cd-f020213c96c6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1277822
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277822 Sample: no_halt_opts_enabled.msi Startdate: 22/07/2023 Architecture: WINDOWS Score: 64 61 Multi AV Scanner detection for domain / URL 2->61 63 Connects to many ports of the same IP (likely port scanning) 2->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->65 9 msiexec.exe 10 19 2->9         started        12 Autoit3.exe 2->12         started        14 msiexec.exe 5 2->14         started        process3 file4 51 C:\Windows\Installer\MSI71E7.tmp, PE32 9->51 dropped 53 C:\Windows\Installer\MSI40FA.tmp, PE32 9->53 dropped 16 msiexec.exe 5 9->16         started        18 cmd.exe 12->18         started        process5 process6 20 Autoit3.exe 7 16->20         started        24 AcroBroker.exe 16->24         started        26 expand.exe 5 16->26         started        28 3 other processes 16->28 file7 45 C:\temp\AutoIt3.exe, PE32 20->45 dropped 67 Contains functionality to modify clipboard data 20->67 30 cmd.exe 3 20->30         started        69 Creates a thread in another existing process (thread injection) 24->69 35 Aut2exe.exe 2 24->35         started        37 FullTrustNotifier.exe 24->37         started        47 C:\Users\user\AppData\...\Autoit3.exe (copy), PE32 26->47 dropped 49 C:\...\39d241a9be9dc84f9d3d554ef700fca4.tmp, PE32 26->49 dropped signatures8 process9 dnsIp10 57 80.66.88.145, 2351, 49183, 49184 RISS-ASRU Russian Federation 30->57 55 C:\ProgramData\cdahehd\Autoit3.exe, PE32 30->55 dropped 59 Creates a thread in another existing process (thread injection) 30->59 39 msinfo32.exe 30->39         started        41 AcroRd32.exe 35->41         started        43 AutoIt3.exe 35->43         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt2s55ig6zsjycmdromtllwsepypgidzryj73okud76r3m7arala._file
Verdict:
suspicious
Similar samples:
039d30d477511a374732afa1354251d22163663a81fc79a9c8dac157b2cc9ebd
DarkGate
0cbd85402b0521a07025a92e87ec97859fd9c1310786728899b3981e8bc55e0c
DarkGate
481ecd41bef2a33076729680747eb92e4e2964bed89c58825d80f602de19f214
DarkGate
6bacfc828a2cef4c0cb83eecc9e1bdfa8b32c0072a95a23734e1b8fd18655ade
DarkGate
6f6dde42f7c995db58b0f318664243785c33809d7bc9925bb29cc039cd148b29
DarkGate
73a8b0306a237247a9ae4187e6d3df691bfb5069a2cf3755597c48631a3f913d
DarkGate
aa3792858633f1c2e3400c961497b98d28e8a82c179ef7c04fabd070fc971859
DarkGate
cc0f70f4c9b185dacf984c2f7f721d11ad293a7e2b654fbf26180e7ebfe54f81
DarkGate
e141dfc05ea821775ef7c4e337d6468ebb68572c8a90d8704d62873db0ef949c
DarkGate
e2cd080304d92494e731ad88d60f1ba38670ba4a751cd8df1e09d6702345999b
DarkGate
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/230722-x8x6bsbh53/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/54f52ef506f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script.
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/429332/

Comments