MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb
SHA3-384 hash: b36e455612c3a41eee49ff9ecdf8a17f20820c46aea2ca484a096b8e8d3cbc4f3cc0cdff0134727eec8a4406bacdc4c1
SHA1 hash: a259afdfc343cfb473bfc396fe8d9b659a4b1f88
MD5 hash: 083cda04c8a1e778015a9354b4e76155
humanhash: grey-burger-table-summer
File name:scannerip_v1.492.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:3'043'328 bytes
First seen:2023-09-14 07:01:23 UTC
Last seen:2023-09-14 12:36:55 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:5pUPt3zSRaU9ha2gyQdOXAu3i1/GX/W05a0QVF31oJQ8SCwYrJRclbJYqbAKR:5pKSRaUF9MOXT3iMX/W0cVnsQ/ClRuKV
Threatray 1 similar samples on MalwareBazaar
TLSH T1E6E523523BD5C536D2AE0637487B97292A367E344B20E0CFB380367D9E313D2A579396
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:80.66.88.145 DarkGate msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
167
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
DarkGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448548/
Detection(s):
MiscreantPunch.SingleXOR.EXE.238.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
expand fingerprint lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/6502afec9bae8a3785568c94/reports/9fd4b460-4cd0-49d9-9262-797fa30751aa/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb
Result
Threat name:
DarkGate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1307699
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Contains functionality to modify clipboard data
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected DarkGate
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307699 Sample: scannerip_v1.492.msi Startdate: 14/09/2023 Architecture: WINDOWS Score: 72 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected DarkGate 2->46 8 msiexec.exe 8 17 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 28 C:\Windows\Installer\MSIF1B2.tmp, PE32 8->28 dropped 30 C:\Windows\Installer\MSI3870.tmp, PE32 8->30 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 expand.exe 68 13->15         started        18 Lightshot.exe 3 13->18         started        21 icacls.exe 13->21         started        23 icacls.exe 13->23         started        file7 32 C:\Users\user\AppData\...\uploader.dll (copy), PE32 15->32 dropped 34 C:\Users\user\AppData\...\net.dll (copy), PE32 15->34 dropped 36 C:\Users\user\...\keyscrambler.sys (copy), PE32+ 15->36 dropped 40 15 other files (13 malicious) 15->40 dropped 38 C:\test\Autoit3.exe, PE32 18->38 dropped 48 Contains functionality to modify clipboard data 18->48 50 Contains functionality to detect sleep reduction / modifications 18->50 25 Autoit3.exe 18->25         started        signatures8 process9 signatures10 52 Contains functionality to modify clipboard data 25->52 54 Contains functionality to detect sleep reduction / modifications 25->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb/
Threat name:
Win32.Trojan.Darkgate
Create hunting rule
Status:
Suspicious
First seen:
2023-09-14 07:02:06 UTC
File Type:
Binary (Archive)
Extracted files:
208
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnofcy7nvzjegfdwfiesz3ezasgbhvhk3hmzb2ib2f623y3fxpvq._file
Verdict:
unknown
Similar samples:
b61ac8b8fabd1b494f4d22e5a1f0b920da55e5827e588361a77c135909387dc3
DarkGate
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/230914-htr87scg32/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

Microsoft Software Installer (MSI) msi 6b5c5163edae524314762a092cec99048c13d4ead9d990e901d17dade365bbeb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/448548/
  
URLhaus
https://urlhaus.abuse.ch/url/2711686/
  
Delivery method
Distributed via web download

Comments