MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d4115e88411e7bcac9ed622dbb6554ff4015c6f9fed98a5427970ceada526e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d4115e88411e7bcac9ed622dbb6554ff4015c6f9fed98a5427970ceada526e6
SHA3-384 hash: 7597509bcbe82c4ce6c8e3e57fb01414acc65f554a6bb16593628722fa4a89a01cf8de909d390bed56635ead436809ca
SHA1 hash: cbdcdefb3328f1473bb1da624ed2bf9515ffd2c3
MD5 hash: a19d814f720701a258a6e8b5a22b22c9
humanhash: avocado-pluto-michigan-fourteen
File name:bye.vbs
Download: download sample
Signature DarkGate
Create hunting rule
File size:20'013 bytes
First seen:2023-10-03 03:20:17 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:fwcem3DxZbJ6TZZfOEcMR/vuvP3RhbWbdVIIo+T6ncfzeQhs7h7:YcXZ16/+MRSbbaX9yp7h7
TLSH T1B7921917B184151745C24793F14AA2B3AEADC031878E13E1ECEED2297A8E4EDD20F2F0
Reporter JAMESWT_WT
Tags:DarkGate greadeaoptimalle-com searcherbigdealk-com vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
146
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452780/
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Script
Link:
https://www.hybrid-analysis.com/sample/7d4115e88411e7bcac9ed622dbb6554ff4015c6f9fed98a5427970ceada526e6
Result
Verdict:
MALICIOUS
Result
Threat name:
DarkGate
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1318430
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: DarkGate
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DarkGate
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1318430 Sample: bye.vbs Startdate: 03/10/2023 Architecture: WINDOWS Score: 100 29 searcherbigdealk.com unknown unknown 2->29 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 7 other signatures 2->43 8 wscript.exe 1 2->8         started        signatures3 process4 dnsIp5 31 searcherbigdealk.com 161.35.113.58, 2351, 49779, 49780 DIGITALOCEAN-ASNUS United States 8->31 45 System process connects to network (likely due to code injection or exploit) 8->45 47 VBScript performs obfuscated calls to suspicious functions 8->47 49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->49 12 cmd.exe 3 8->12         started        signatures6 process7 file8 27 C:\dcvj\dcvj.exe, PE32+ 12->27 dropped 15 dcvj.exe 2 12->15         started        19 dcvj.exe 2 12->19         started        21 Autoit3.exe 12->21         started        23 conhost.exe 12->23         started        process9 dnsIp10 33 searcherbigdealk.com 15->33 25 C:\dcvj\Autoit3.exe, PE32 15->25 dropped 35 searcherbigdealk.com 19->35 file11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d4115e88411e7bcac9ed622dbb6554ff4015c6f9fed98a5427970ceada526e6/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 18:24:04 UTC
File Type:
Text
AV detection:
6 of 34 (17.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvarl2eecht3zle62yrnxnsvj72acxdpt7wzrjkcpfym5lnfe3ta._file
Verdict:
unknown
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate stealer
Link:
https://tria.ge/reports/231003-dwbxsahh45/
Behaviour
Checks processor information in registry
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
DarkGate
Malware Config
C2 Extraction:
http://searcherbigdealk.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/7d4115e88411e7bcac9ed622dbb6554ff4015c6f9fed98a5427970ceada526e6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/452780/

Comments