MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439
SHA3-384 hash: a998b146a103398c4359cbb63ed265a08c2804c43e89fd8cff491b3508dc72c6ed2e81db4f74e9b7488e24a8bc84e777
SHA1 hash: f89fe47d0ae4d708876e3e80c250eef6582f148b
MD5 hash: be421d1cfaba686bcafee896c24b4b45
humanhash: oregon-vermont-mockingbird-wyoming
File name:startapp(ffb8a7da0da).msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:8'908'800 bytes
First seen:2023-11-09 14:17:36 UTC
Last seen:2023-11-09 16:18:58 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:PeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9+MeLGW+x:PdhVs6WXjX9HZ5AQX32WDa8
Threatray 34 similar samples on MalwareBazaar
TLSH T12596332522D9C736D18F2332819BAAA13354BF641BA0C0CB2B94757D25B1BF2DF35B46
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter malwarelabnet
Tags:DarkGate msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
165
Origin country :
CA CA
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilMSI.PkillImAfraidOfUnregisteredMSIinstallers.20231026.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expand fingerprint hacktool installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/654cea210adeb0343352eb2b/reports/f01631cb-25ab-4e20-a278-b448e97e6b5b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339766
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339766 Sample: startapp(ffb8a7da0da).msi Startdate: 09/11/2023 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 7 other signatures 2->48 8 msiexec.exe 8 17 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 28 C:\Windows\Installer\MSI2730.tmp, PE32 8->28 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 windbg.exe 3 13->15         started        19 expand.exe 11 13->19         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 30 C:\tmpa\Autoit3.exe, PE32 15->30 dropped 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->36 38 Contains functionality to register a low level keyboard hook 15->38 40 Contains functionality to modify clipboard data 15->40 25 Autoit3.exe 15->25         started        32 C:\...\d095d31a4b264347852783598a6c4a31.tmp, PE32 19->32 dropped 34 C:\...\5cfb2b5e874436468a144d99a313ccef.tmp, PE32 19->34 dropped signatures8 process9 signatures10 50 Deletes shadow drive data (may be related to ransomware) 25->50 52 Contains functionality to modify clipboard data 25->52
Score:
98%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-11-09 14:18:07 UTC
File Type:
Binary (Archive)
Extracted files:
224
AV detection:
3 of 37 (8.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=re53ltgfryotvn6s4kff5s7vqgk5cc6dkl4abns5sbojmvivqq4q._file
Verdict:
malicious
Similar samples:
3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd
DarkGate
3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
DarkGate
7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02
DarkGate
92ffa8c1f772ff5487bb29f1539148bd6893ab4abf1de7ed603f84cbc39deddb
DarkGate
d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236
DarkGate
eebf1a462cb8ea88eee8af609fc35d3640a2d5b42355f5d6197c7f51a4bac0bb
DarkGate
+ 24 additional samples on MalwareBazaar
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate botnet:ads5 discovery stealer
Link:
https://tria.ge/reports/231109-rl9yqahg7x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
DarkGate
Malware Config
C2 Extraction:
http://siliconerumble.com
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/893bb5ccc58e1d3ab7d2e28a5ecbf58195d10bc352f800b65d905c9655158439

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments