MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
SHA3-384 hash: c217390c4698158b2012611c1695dd2f9f456fd20dfbb2a611dcbf8dd12a3898bc6888681a012b56196fe6920abea26f
SHA1 hash: 7c3deb150d73fe97e8efd1086bd42dca859a4766
MD5 hash: 8f82b80d2996a27e5efd72c1748a6048
humanhash: nine-avocado-kansas-michigan
File name:8474da7e8a71af08d6c2eae2de2a93edc2b77bb93399fc1b1895fbd8.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:2'936'832 bytes
First seen:2023-10-19 15:40:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:KpUPZCQMukBtM5X1nMg1Y6PWG0QIaqZQxxWsprXhTrdMqsI1Jqf1vOEMH+3iplvB:Kp2czg71Y6PWGZIaOYxWs1hTrdMqvJqg
Threatray 8 similar samples on MalwareBazaar
TLSH T130D5235237DD8239E29E067795FFDB663A757C380B61C0CF67D07A984830AD2A939306
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter r3dbU7z
Tags:DarkGate msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
RU RU
Vendor Threat Intelligence
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expand fingerprint hacktool installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/65314dd9afc17c7912f8f577/reports/21cfbf89-b64c-40f2-9767-e0368706d95d/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
Result
Threat name:
DarkGate, MailPassView
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1328799
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Yara detected DarkGate
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1328799 Sample: 8474da7e8a71af08d6c2eae2de2... Startdate: 19/10/2023 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 Yara detected DarkGate 2->73 75 6 other signatures 2->75 10 msiexec.exe 8 19 2->10         started        13 Autoit3.exe 2->13         started        16 msiexec.exe 5 2->16         started        process3 file4 59 C:\Windows\Installer\MSIBE50.tmp, PE32 10->59 dropped 61 C:\Windows\Installer\MSI74C5.tmp, PE32 10->61 dropped 18 msiexec.exe 5 10->18         started        93 Deletes shadow drive data (may be related to ransomware) 13->93 95 Contains functionality to modify clipboard data 13->95 20 cmd.exe 13->20         started        23 cmd.exe 13->23         started        signatures5 process6 signatures7 25 windbg.exe 3 18->25         started        29 expand.exe 11 18->29         started        31 icacls.exe 18->31         started        33 icacls.exe 18->33         started        77 Deletes shadow drive data (may be related to ransomware) 20->77 process8 file9 51 C:\tmpp\Autoit3.exe, PE32 25->51 dropped 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->87 89 Contains functionality to register a low level keyboard hook 25->89 91 Contains functionality to modify clipboard data 25->91 35 Autoit3.exe 3 10 25->35         started        53 C:\...\dd7d68ac04cef2418993f10e0ec0e1c0.tmp, PE32 29->53 dropped 55 C:\...\8d22e48ccbce7d418abd9b86affbf224.tmp, PE32 29->55 dropped 57 C:\...\8b74129bf85a814398a652b6eb38bcb5.tmp, PE32 29->57 dropped signatures10 process11 dnsIp12 65 185.130.227.202, 2351, 49163, 49164 HOSTKEY-ASNL Netherlands 35->65 49 C:\temp\AutoIt3.exe, PE32 35->49 dropped 79 Deletes shadow drive data (may be related to ransomware) 35->79 81 Contains functionality to modify clipboard data 35->81 40 cmd.exe 35->40         started        43 cmd.exe 7 35->43         started        file13 signatures14 process15 file16 83 Uses ping.exe to check the status of other devices and networks 40->83 46 PING.EXE 40->46         started        63 C:\ProgramData\feddbeh\Autoit3.exe, PE32 43->63 dropped 85 Deletes shadow drive data (may be related to ransomware) 43->85 signatures17 process18 dnsIp19 67 127.0.0.1 unknown unknown 46->67
Score:
100%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4/
Threat name:
Win32.Trojan.Darkgate
Create hunting rule
Status:
Suspicious
First seen:
2023-10-19 15:41:06 UTC
File Type:
Binary (Archive)
Extracted files:
129
AV detection:
7 of 21 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cqkhleimvzxvelzqpiqz5zqp3jdlksbaliun5uframgssvy6p2a._file
Verdict:
malicious
Similar samples:
143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299
DarkGate
14971c780f7708a9ea2d139bb874b5ed8269c216d617598795b9d4a5da7176ef
DarkGate
2c33166a74ba155a80bb28dcb1fa905ff8cce2dd19464d5784e863478facade5
DarkGate
301158ffb44a9824deeec16bdc7dabdc328b9f3ecde0df048741218285d8bcc8
DarkGate
7081e4b1bffb4c839b937aa5938d83ca6a1dfbd0919917c54c829d8efc40ed34
DarkGate
a69719f8d5dd3a3725521d32e16623be5f39aa5731a12061cb3e08793c2c66ba
DarkGate
b79b536569c0060a834e4001289a6700692d67df58e644779fababf0df22fc75
DarkGate
Result
Malware family:
darkgate
Create hunting rule
Score:
  10/10
Tags:
family:darkgate botnet:civilian1337 discovery stealer
Link:
https://tria.ge/reports/231019-s4rersac33/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.130.227.202
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0a0a3ac8865/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

Microsoft Software Installer (MSI) msi d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4

(this sample)

  
Delivery method
Distributed via web download

Comments