MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
SHA3-384 hash: 479412d57760034bb6fc2a8d9d9f3609be53cc75b678643a110554e2ea227301aaedc08ebc9ef0fdee4fe65e74dc28a5
SHA1 hash: 51588315ff4ae36412c337361ea65f84810938d8
MD5 hash: fbf5d7b4c5f0e86a95b4fcd5c5ccc534
humanhash: tennessee-connecticut-glucose-island
File name:1c532f2594.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:8'941'568 bytes
First seen:2023-11-09 16:04:12 UTC
Last seen:2023-11-09 17:16:11 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8
Threatray 37 similar samples on MalwareBazaar
TLSH T1F4963361728AC639D18B173AC156EAA13714BF545B70D1CB2B987C2C2630BF29F75B83
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:botnet-PLEX DarkGate msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilMSI.PkillImAfraidOfUnregisteredMSIinstallers.20231026.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expand fingerprint hacktool installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/654d0334886b1623ff3cdb41/reports/405bee03-3185-435e-8995-b43a00f72005/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1339856
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339856 Sample: 1c532f2594.msi Startdate: 09/11/2023 Architecture: WINDOWS Score: 96 42 Found malware configuration 2->42 44 Yara detected DarkGate 2->44 46 Yara detected MailPassView 2->46 48 3 other signatures 2->48 8 msiexec.exe 12 20 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 28 C:\Windows\Installer\MSIE409.tmp, PE32 8->28 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 windbg.exe 3 13->15         started        19 expand.exe 11 13->19         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 30 C:\tmpa\Autoit3.exe, PE32 15->30 dropped 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->36 38 Contains functionality to register a low level keyboard hook 15->38 40 Contains functionality to modify clipboard data 15->40 25 Autoit3.exe 15->25         started        32 C:\...\d4f40ad1afac5641a9d55aa8812e512c.tmp, PE32 19->32 dropped 34 C:\...\68cd7668899ee34685a8650377dcd787.tmp, PE32 19->34 dropped signatures8 process9 signatures10 50 Deletes shadow drive data (may be related to ransomware) 25->50 52 Contains functionality to modify clipboard data 25->52
Score:
98%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-09 15:52:54 UTC
File Type:
Binary (Archive)
Extracted files:
224
AV detection:
1 of 36 (2.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwqzresvqfayqyyxb4c3qmwncwclsizhrudtbv3zumhmszitceoq._file
Verdict:
malicious
Similar samples:
3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd
DarkGate
3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
DarkGate
893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439
DarkGate
92ffa8c1f772ff5487bb29f1539148bd6893ab4abf1de7ed603f84cbc39deddb
DarkGate
eebf1a462cb8ea88eee8af609fc35d3640a2d5b42355f5d6197c7f51a4bac0bb
DarkGate
+ 27 additional samples on MalwareBazaar
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate botnet:plex discovery stealer
Link:
https://tria.ge/reports/231109-tjg62aac8t/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
DarkGate
Malware Config
C2 Extraction:
http://jordanmikejeforse.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments