MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f
SHA3-384 hash: a0638e51fbe7bd873d8e10ccd890edef8b0e941bf5612b845b0efeb0df065819d881c8775d133c1754751fb6b4bfa4b9
SHA1 hash: 5a37216d4175024e786f657c9dfa5c2de2c7851f
MD5 hash: 2d02b1d2ea79eaebda6d221ee6e8fdf2
humanhash: angel-whiskey-april-california
File name:okkk.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:2'174'976 bytes
First seen:2023-08-31 17:37:58 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:mpUPhCTtpQOcLFqCGSO+XTX/PJtpiEOzAcrgAuzGPDWfec7zR:mpgMtcFqCG4DX/UEOzjrgAuzoWfec7t
Threatray 656 similar samples on MalwareBazaar
TLSH T185A523113B8AC536DAD60731417787B52A697CB51F30C1CFB7993A6C5B32AD2A938323
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter r3dbU7z
Tags:DarkGate msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
DarkGate
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445515/
Detection(s):
MiscreantPunch.SingleXOR.EXE.222.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
expand fingerprint lolbin packed shell32
Link:
https://www.filescan.io/uploads/64f0cffcbbdbeaefbce274ea/reports/6a1883db-69d3-46a1-9477-4ed6bc3ffb9b/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f
Result
Threat name:
Darkgate
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1301212
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected Darkgate
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1301212 Sample: okkk.msi Startdate: 31/08/2023 Architecture: WINDOWS Score: 84 72 Yara detected Darkgate 2->72 74 Sample uses string decryption to hide its real strings 2->74 76 Connects to many ports of the same IP (likely port scanning) 2->76 78 2 other signatures 2->78 12 msiexec.exe 8 19 2->12         started        15 Autoit3.exe 2->15         started        18 msiexec.exe 5 2->18         started        process3 file4 66 C:\Windows\Installer\MSIB436.tmp, PE32 12->66 dropped 68 C:\Windows\Installer\MSI979F.tmp, PE32 12->68 dropped 20 msiexec.exe 5 12->20         started        90 Detected unpacking (creates a PE file in dynamic memory) 15->90 22 cmd.exe 15->22         started        signatures5 process6 process7 24 KeyScramblerLogon.exe 2 20->24         started        27 expand.exe 23 20->27         started        29 icacls.exe 20->29         started        31 icacls.exe 20->31         started        file8 56 C:\Users\user\AppData\Local\...\Autoit3.exe, PE32 24->56 dropped 33 Autoit3.exe 7 24->33         started        58 C:\Users\user\...\keyscrambler.sys (copy), PE32 27->58 dropped 60 C:\Users\user\...\Uninstall.exe (copy), PE32 27->60 dropped 62 C:\Users\user\...\QFXUpdateService.exe (copy), PE32 27->62 dropped 64 13 other files (none is malicious) 27->64 dropped process9 file10 52 C:\temp\AutoIt3.exe, PE32 33->52 dropped 80 Detected unpacking (creates a PE file in dynamic memory) 33->80 82 Contains functionality to modify clipboard data 33->82 84 Creates a thread in another existing process (thread injection) 33->84 37 cmd.exe 3 33->37         started        42 AdobeCollabSync.exe 33->42         started        signatures11 process12 dnsIp13 70 88.99.105.55, 2351, 49163, 49164 HETZNER-ASDE Germany 37->70 54 C:\ProgramData\khbhhbf\Autoit3.exe, PE32 37->54 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->86 88 Creates a thread in another existing process (thread injection) 37->88 44 RdrServicesUpdater.exe 37->44         started        46 Eula.exe 37->46         started        file14 signatures15 process16 process17 48 mip.exe 44->48         started        process18 50 Wkconv.exe 48->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdxnky67ytccuh2kvzri36kikzv45wr2umux5nqwi4kwuuttpzxq._file
Verdict:
suspicious
Similar samples:
06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
DarkGate
21ada98043ea73edf58648a2a43856bed7f8e9fafdc948aae020b1dbb3053d90
DarkGate
349fcfd6f24473d8b0c9429c0f71459a178125b6d42a48129d357ce99eca94fe
DarkGate
54f791796231f7899d753f0ba44e7387bf7748dc7a28adbd28f2067c9ab88605
DarkGate
6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573
DarkGate
719cf0c9eba47af19500753dc4213f551efdc09f13e2c71ef0e39b08a7aca888
DarkGate
7e19416205cfb8e056d4628bdeb635e29cefba04fcb21ee55e7b0077427e4c99
DarkGate
a0ee463632a3799ed2b21d598d1fa8c4ed7198f3debd175a1eb89b2055b57ccd
DarkGate
ae4ccd912a3f2ad87789956660ee5485bb5fcd0f36c1d0d4f1272e3ae1f668f3
DarkGate
b02c2218b9249530276db1fc8e233dffde2beba38b1d90b9549ca650029ab90f
DarkGate
+ 646 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/230831-v7prfsgf3y/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
NSIS installer
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8eed563dfc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

Microsoft Software Installer (MSI) msi a8eed563dfc4c42a1f4aae628df948566bceda3aa3297eb61647156a52737e6f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/445515/

Comments