MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
SHA3-384 hash: 5e5e5ebad0f1eea6a097a890e2d0596d91ae410b911030df2ad9278dd9aeba73d370869d06fe9226cbd45ef87d27bd80
SHA1 hash: f8535858fcee6b96e0f49e6156fa110fc0698880
MD5 hash: 4f238c2093606fc296f1f819c2f0fc67
humanhash: three-pluto-grey-lake
File name:mkreafr.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:4'493'312 bytes
First seen:2024-01-31 17:44:42 UTC
Last seen:2024-01-31 19:24:53 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:jpUPN9qhCxzT+WKjSXcmNt6+XzP4BYIeBfCXqyfdo1DDDDDDDDDDPuDgO9hTnxA5:jpqCQbm+jg12f3yaiga6yU
TLSH T170265A2BE253815DC11BC03483928AB09433786597F299D743DEDE695AA1CD27EFEE30
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter rmceoin
Tags:DarkGate msi


Avatar
rmceoin
http://5.181.159.49/Downloads/mkreafr.zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473850/
Detection(s):
SecuriteInfo.com.Win64.InjectorX-gen.7988.27168.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm expand fingerprint installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/65ba8724bc91f83c80743b21/reports/24c4e9b2-5a5b-4036-818c-09ba16e81e6b/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384290
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1384290 Sample: mkreafr.msi Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 6 other signatures 2->80 10 msiexec.exe 8 17 2->10         started        13 msiexec.exe 5 2->13         started        process3 file4 58 C:\Windows\Installer\MSIA6BC.tmp, PE32 10->58 dropped 15 msiexec.exe 5 10->15         started        17 vbc.exe 13->17         started        19 vbc.exe 13->19         started        process5 process6 21 vlc.exe 4 15->21         started        25 expand.exe 6 15->25         started        27 cmd.exe 15->27         started        29 2 other processes 15->29 file7 48 C:\temp\Autoit3.exe, PE32 21->48 dropped 86 Detected unpacking (creates a PE file in dynamic memory) 21->86 31 Autoit3.exe 11 21->31         started        50 C:\Users\user\AppData\...\vlc.exe (copy), PE32+ 25->50 dropped 52 C:\Users\user\AppData\...\libvlc.dll (copy), PE32+ 25->52 dropped 54 C:\...\ed1a8d1adcc34f429179c0329ea0f0d8.tmp, PE32+ 25->54 dropped 56 C:\...\a90fffff7f932c48801cc75c46923560.tmp, PE32+ 25->56 dropped signatures8 process9 file10 60 C:\ProgramData\achcbhc\Autoit3.exe, PE32 31->60 dropped 66 Machine Learning detection for dropped file 31->66 68 Contains functionality to inject threads in other processes 31->68 70 Contains functionality to inject code into remote processes 31->70 72 3 other signatures 31->72 35 TeWHpvwtrPY.exe 1 3 31->35 injected signatures11 process12 dnsIp13 62 jenb128hiuedfhajduihfa.com 104.21.31.91 CLOUDFLARENETUS United States 35->62 64 172.67.176.41 CLOUDFLARENETUS United States 35->64 82 Sample uses process hollowing technique 35->82 84 Opens the same file many times (likely Sandbox evasion) 35->84 39 WerFault.exe 35->39         started        42 vbc.exe 35->42         started        44 vbc.exe 35->44         started        46 2 other processes 35->46 signatures14 process15 signatures16 88 Opens the same file many times (likely Sandbox evasion) 39->88
Score:
3%
Verdict:
Benign
File Type:
MSI
Link:
https://malprob.io/report/58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994/
Threat name:
Win32.Trojan.Darkgate
Create hunting rule
Status:
Malicious
First seen:
2024-01-31 17:45:08 UTC
File Type:
Binary (Archive)
Extracted files:
42
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldrppbrsdvmgge4gmvbglsh4kkmody4wyim2ijg6k6rweo2l3gka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240131-wbqjjsbdgp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Uses the VBS compiler for execution
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware family:
DarkGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58e2f786321d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkGate

zip a31ac963ee344678ec4386bdac3a9c9cf2804049cb81e5b0daeb65082da09b32

DarkGate

Microsoft Software Installer (MSI) msi 58e2f786321d58631386654265c8fc5298e1e396c219a424de57a3623b4bd994

(this sample)

  
Dropped by
SHA256 a31ac963ee344678ec4386bdac3a9c9cf2804049cb81e5b0daeb65082da09b32
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/473850/
  
Dropped by
MD5 e7fb7aa7dc05e76b1c8054a9a375158f

Comments