MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
SHA3-384 hash: bd495cfa5088d75f83792fe4b33809a63834754b214d5408c9255850dc30ddc4d7c528df8fe15e3b81f9702a4f775467
SHA1 hash: fbfc15ded2ebd130c92d812c26dc052561f7ff83
MD5 hash: 4fa734db8e9f7ce5ecd217b34ecc6969
humanhash: montana-wyoming-harry-lemon
File name:SecuriteInfo.com.Win32.Malware-gen.6717.12233
Download: download sample
Signature DarkGate
Create hunting rule
File size:11'706'613 bytes
First seen:2024-09-18 16:45:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 196608:FfhVx6cyJczra+6msUjFD8rXPLJy5rRUlXmBPzLMAoUsJBK7iskeDqQ7poZ:FfrABJq2+6mnD8b9y9RU8zLMAoUsJBKK
Threatray 69 similar samples on MalwareBazaar
TLSH T1BAC62323B2C7E53AF05D0B3B0AB3A55594F77A626523BE52E7E084FCCE261501D7E206
TrID 45.4% (.EXE) Inno Setup installer (107240/4/30)
24.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon e9e2eae6b696c6ec (11 x LummaStealer, 4 x Vidar, 2 x FickerStealer)
Reporter SecuriteInfoCom
Tags:Arechclient2 DarkGate exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://openvpn-connect-win.pages.dev
Verdict:
Malicious activity
Analysis date:
2024-09-11 19:02:19 UTC
Tags:
loader crypto-regex python
Link:
https://app.any.run/tasks/0f2e0d95-7eff-4058-aa87-37d0defc92ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.6717.12233.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66eb03cd5d6a2b58599ab21c
Tags:
Discovery Execution Generic Network Stealth Trojan Msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66eb03cf0883d6a903ec50b4/reports/5550b228-6b94-4b3d-b1dc-30ac48676542/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c354bdd2-6595-4ab4-8eb9-116e1783a254
Result
Threat name:
RedLine, SectopRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1513342
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RedLine Stealer
Yara detected SectopRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1513342 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 18/09/2024 Architecture: WINDOWS Score: 100 96 Suricata IDS alerts for network traffic 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 6 other signatures 2->102 12 SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe 2 2->12         started        15 AutoIt3.exe 2->15         started        17 AutoIt3.exe 2->17         started        process3 file4 82 SecuriteInfo.com.W...-gen.6717.12233.tmp, PE32 12->82 dropped 19 SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp 3 5 12->19         started        22 MSBuild.exe 15->22         started        24 MSBuild.exe 17->24         started        process5 file6 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->72 dropped 74 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 19->74 dropped 26 SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe 2 19->26         started        process7 file8 78 SecuriteInfo.com.W...-gen.6717.12233.tmp, PE32 26->78 dropped 29 SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp 5 60 26->29         started        process9 file10 84 C:\Users\user\AppData\Local\...\is-Q7BSH.tmp, PE32 29->84 dropped 86 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 29->86 dropped 88 C:\Users\user\...\wmfclearkey.dll (copy), PE32+ 29->88 dropped 90 39 other files (none is malicious) 29->90 dropped 32 AutoIt3.exe 2 29->32         started        34 cmd.exe 1 29->34         started        36 cmd.exe 1 29->36         started        38 4 other processes 29->38 process11 process12 40 cmd.exe 1 32->40         started        43 conhost.exe 34->43         started        53 2 other processes 34->53 45 conhost.exe 36->45         started        55 2 other processes 36->55 47 conhost.exe 38->47         started        49 conhost.exe 38->49         started        51 conhost.exe 38->51         started        57 9 other processes 38->57 signatures13 112 Uses ping.exe to sleep 40->112 114 Uses ping.exe to check the status of other devices and networks 40->114 59 AutoIt3.exe 1 4 40->59         started        62 PING.EXE 1 40->62         started        65 conhost.exe 40->65         started        process14 dnsIp15 80 C:\eegeaeg\AutoIt3.exe, PE32 59->80 dropped 67 MSBuild.exe 15 20 59->67         started        94 127.0.0.1 unknown unknown 62->94 file16 process17 dnsIp18 92 45.141.86.82, 15647, 49722, 49723 MEDIALAND-ASRU Russian Federation 67->92 76 C:\Users\user\AppData\...\Secure Preferences, JSON 67->76 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 67->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 67->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 67->108 110 2 other signatures 67->110 file19 signatures20
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b/
Threat name:
Win32.Backdoor.Sectoprat
Create hunting rule
Status:
Suspicious
First seen:
2024-09-03 20:39:26 UTC
File Type:
PE (Exe)
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6nmn3z5v7clnqulhpitrwtja44gn6nvj5245vgyacvknmxqcu4nq._file
Verdict:
malicious
Label(s):
darkgate
Create hunting rule
sectoprat
Create hunting rule
Similar samples:
101aecf07bb2c61c1dcf593e3fc9d652b48e9dbbfebbf55287ec5d86117fd0c9
DarkGate
5659f401e9c479d51bf256092e8d7b0c00abc6286e7f3b2d7f527995a145593d
DarkGate
bb870923c6ac61383177d3bb41726ea290a29a4a762fd681dec3d4f6cc19ed93
DarkGate
e3880c7db78e09748fe9caf02f330b1c61cd3aaaa31ffe93fb5ba1fb1035f761
DarkGate
eaa5582959770d5fa7fc18fa15d6e6aedec88b7503b8d16df3dd82626fab57d9
DarkGate
+ 59 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:sectoprat credential_access discovery persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240918-t9yxgascrp/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
SectopRAT
SectopRAT payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c1605edf-b0cc-4771-9be4-20ccdd470f22
Unpacked files
SH256 hash:
12d0d3fa12105e9f0a46d7a30a8612fd1e1ad6a55e98e6140b82e58240353421
MD5 hash:
56c7ac8d61248eb5d4442735ca49ca92
SHA1 hash:
4238b3147461c0188070a542618ea6ba73071ca6
Link:
https://www.unpac.me/results/c3f18cd1-e367-47a2-b104-a4b42c1efd8f/
SH256 hash:
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
MD5 hash:
4fa734db8e9f7ce5ecd217b34ecc6969
SHA1 hash:
fbfc15ded2ebd130c92d812c26dc052561f7ff83
Link:
https://www.unpac.me/results/c3f18cd1-e367-47a2-b104-a4b42c1efd8f/
Malware family:
DarkGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f358dde7b5f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

Executable exe f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3179703/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments