MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkGate

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13
SHA3-384 hash:	d1d5b9436c23b7cf0d0c3c82d163b64156803f69131a2e6a724643be5991eb0da475cc6b7de852b6cf705650218ee8f2
SHA1 hash:	a8bcbc46c021888911c1a39cce01feeb92eeddba
MD5 hash:	9c743eed9f08294c6cb4f091bfcc9d5a
humanhash:	early-quiet-black-wyoming
File name:	build-x64.zip
Download:	download sample
Signature	DarkGate Create hunting rule
File size:	2'536'202 bytes
First seen:	2024-02-14 12:55:21 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	49152:u43NPQUNYYeVKo9x5Kpu7ejYFMyImIZ7hkSRua84ioGR0ExxL6fQkOaf4Ila:uaoUNYYy9x5Kpu7ejYFMyOhkQBliLR0s
TLSH	T172C53348CE6B1596900997EB1745E7108A64D78ECB755CC9BA0FC2BF700ABF8DFD2068
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	e24111111111111
Tags:	DarkGate zip

e24111111154168

http://95.164.63.54/documents/build-x64.zip

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	build-x64.msi
File size:	6'094'848 bytes
SHA256 hash:	3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
MD5 hash:	2999391319cda1be5dacfaf5b05062b2
MIME type:	application/x-msi
Signature	DarkGate

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win64.InjectorX-gen.30355.5447.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

alien expand fingerprint hook installer lolbin packed shell32

Link:

https://www.filescan.io/uploads/65ccb867276e7c195323c48b/reports/a0d4a0ff-260b-4819-b6ef-de5486913aee/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-13 18:29:00 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 38 (21.05%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mnieu7uwpvmyh7jw2s2msyuegmqqi5mkdhn4tr5a75bclvxy74jq._file

Result

Malware family:

darkgate

Score:

10/10

Tags:

family:darkgate discovery stealer

Link:

https://tria.ge/reports/240214-qey27sbd9t/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Modifies file permissions

DarkGate

Detect DarkGate stealer

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkGate

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Script Create hunting rule
Author:	@bartblaze
Description:	Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DarkGate

zip 63504a7e967d5983fd36d4b4c96284332104758a19dbc9c7a0ff4225d6f8ff13

(this sample)

DarkGate

msi 3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

Dropping

SHA256 3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2761148/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample