MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
SHA3-384 hash: 836384658d84df58f1e7def3a9739ebf5313fcc0f9b0cb5737e9f5ef5510ea966cfd3bcd9778965819fb53b7366cc74c
SHA1 hash: 6bf9a3a8918729fe2718d44c22f9d24d78f10a2e
MD5 hash: c0a883f68cecd67c63bd67b28201ffc5
humanhash: mockingbird-florida-fix-gee
File name:a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
Download: download sample
Signature DarkGate
Create hunting rule
File size:163'840 bytes
First seen:2024-10-19 14:24:54 UTC
Last seen:2024-10-19 15:34:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cdb494066e0f26fc86d822bd403e55b (1 x DarkGate)
ssdeep 3072:NFOgGczyoO96R6hJv6eOc+WXQn71OScqPcdi/8FI:NFO3KyohRrkQnJcocs/
Threatray 15 similar samples on MalwareBazaar
TLSH T17CF36B22F0C19876D0B21E7C9E0AB6DAA42EFE202E3C545B75E80E4D5B3D691646C3D7
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter NDA0E
Tags:DarkGate exe unpacked

Intelligence

File Origin
# of uploads :
2
# of downloads :
483
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
Verdict:
No threats detected
Analysis date:
2024-10-19 14:27:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ed95228-bf87-434a-abcd-3f5f229362cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Agent-BDMJ.18015.29304.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6713c14034f884d15c8d26c6
Tags:
Delfinject Shellcode Vmdetect Dropper
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm anti-vm borland_delphi evasive fingerprint lolbin remote shell32
Link:
https://www.filescan.io/uploads/6713c13fc06827a6f6b055dc/reports/7c6c4d07-0b70-40a3-8ceb-d29253026845/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkGate
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a309dfe-52f0-4bfa-bed2-ebd201697e6c
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1537781
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd/
Threat name:
Win32.Trojan.DarkGate
Create hunting rule
Status:
Malicious
First seen:
2024-10-19 14:25:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvqonjcjohnpkohppvmep5b5g2aqwmbspnazm3aertsjxylps26q._file
Verdict:
malicious
Label(s):
darkgate
Create hunting rule
Similar samples:
2e6db642fad3918398b520cf655d6ca7fc040bd177e30a30bd7f549adb4e48c0
DarkGate
37fcd674643b9586fdcecce7ed04f7f47509553a282dcdfa21c501dd03e3e941
DarkGate
7423aa8ba840f6ca0d746ef6708363f1a75ced682859a9eb26df5d8faabf5854
DarkGate
9edbe8d6aee72e51c4d49d259faf757c71470e2036cb72d151d19512fbb0ddce
DarkGate
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
DarkGate
b422f4ef542446bcac80afc015c26e82fd783caa52c32d35ee44cda0614cffe9
DarkGate
bb870923c6ac61383177d3bb41726ea290a29a4a762fd681dec3d4f6cc19ed93
DarkGate
d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd
DarkGate
error
DarkGate
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
DarkGate
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241019-rq95aa1amc/
Behaviour
Checks processor information in registry
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
loader darkgate
YARA:
DarkGate Windows_Trojan_DarkGate_07ef6f14 MAL_CRIME_Loader_WIN_PE_DarkGate_Jan9
Link:
https://app.threat.zone/submission/3a86a6c1-3a99-4d51-991e-d4aa75a715e3
Unpacked files
SH256 hash:
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
MD5 hash:
c0a883f68cecd67c63bd67b28201ffc5
SHA1 hash:
6bf9a3a8918729fe2718d44c22f9d24d78f10a2e
Detections:
win_darkgate_w1
Create hunting rule
Link:
https://www.unpac.me/results/34e373b7-968c-4a19-8c28-264ab890a51e/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DarkGate
Create hunting rule
Author:enzok
Description:DarkGate Payload
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_642df623
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_DarkGate_07ef6f14
Create hunting rule
Author:Elastic Security
Rule name:Win_DarkGate
Create hunting rule
Author:0xToxin
Description:DarkGate Strings Decryption Routine
Rule name:win_darkgate_w1
Create hunting rule
Author:enzok
Description:DarkGate Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

tar 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054

Amadey

Executable exe 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d

DarkGate

Executable exe a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd

(this sample)

  
Dropped by
SHA256 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
  
Dropped by
MD5 5298db7bfc6a857c39a87dd4d0ac7d87

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
kernel32.dll::WriteProcessMemory
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
ntdll.dll::NtQueryInformationProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileW
kernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments