MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkGate


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112
SHA3-384 hash: d0ae79d01027b31c98abe44662d8a3a3b640d405203563041630cf48f362c05f1cb4905fb3e5d6bd916438bc8060b5bc
SHA1 hash: 8ede7ee0a43c4282b41687408ddc38a243ac4bfd
MD5 hash: b88352bde539f79207be209759505f02
humanhash: early-colorado-tango-carolina
File name:pullofmaster.msi
Download: download sample
Signature DarkGate
Create hunting rule
File size:4'554'752 bytes
First seen:2024-01-29 19:44:23 UTC
Last seen:2024-01-29 21:26:13 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf
TLSH T1D0266B7F12B0A329C53A81BAC5927F04933366FD17A2CDC751CD64A84ADE4CC6A7B2D1
TrID 86.3% (.MSI) Microsoft Windows Installer (454500/1/170)
8.4% (.MSP) Windows Installer Patch (44509/10/5)
3.7% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter rmceoin
Tags:DarkGate msi


Avatar
rmceoin
Found on 5.181.159.23/Downloads/pullofmaster.zip

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473497/
Detection(s):
SecuriteInfo.com.Win64.InjectorX-gen.20927.23994.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
expand fingerprint installer lolbin packed shell32
Link:
https://www.filescan.io/uploads/65b8004ef9733b1319ad9709/reports/1210f4c5-4ac6-4bb8-a16c-570e28977832/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112
Result
Threat name:
MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382946
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Opens the same file many times (likely Sandbox evasion)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382946 Sample: pullofmaster.msi Startdate: 29/01/2024 Architecture: WINDOWS Score: 100 78 stachmentsuprimeresult.com 2->78 90 Antivirus detection for URL or domain 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Yara detected MailPassView 2->94 96 5 other signatures 2->96 12 msiexec.exe 10 17 2->12         started        15 msiexec.exe 5 2->15         started        signatures3 process4 file5 74 C:\Windows\Installer\MSI8CF4.tmp, PE32 12->74 dropped 17 msiexec.exe 5 12->17         started        19 WerFault.exe 1 15->19         started        22 vbc.exe 15->22         started        process6 signatures7 24 iTunesHelper.exe 4 17->24         started        27 expand.exe 6 17->27         started        29 icacls.exe 17->29         started        31 2 other processes 17->31 98 Opens the same file many times (likely Sandbox evasion) 19->98 process8 file9 64 C:\temp\Autoit3.exe, PE32 24->64 dropped 33 Autoit3.exe 13 24->33         started        66 C:\Users\user\...\iTunesHelper.exe (copy), PE32+ 27->66 dropped 68 C:\Users\user\...\CoreFoundation.dll (copy), PE32+ 27->68 dropped 70 C:\...\b5e9277d86381345b6ce4890a5540aef.tmp, PE32+ 27->70 dropped 72 C:\...\6ebb54e67fdfc2479188b0a1edf6ccfc.tmp, PE32+ 27->72 dropped process10 file11 62 C:\ProgramData\febdbhg\Autoit3.exe, PE32 33->62 dropped 82 Machine Learning detection for dropped file 33->82 84 Contains functionality to inject threads in other processes 33->84 86 Contains functionality to inject code into remote processes 33->86 88 2 other signatures 33->88 37 XbRUjgAlnwb.exe 1 4 33->37 injected 41 AcroRd32.exe 9 34 33->41         started        signatures12 process13 dnsIp14 80 stachmentsuprimeresult.com 138.124.183.35, 443, 49161, 49162 NOKIA-ASFI Norway 37->80 100 Sample uses process hollowing technique 37->100 102 Opens the same file many times (likely Sandbox evasion) 37->102 43 vbc.exe 37->43         started        45 vbc.exe 37->45         started        47 vbc.exe 37->47         started        52 5 other processes 37->52 49 RdrCEF.exe 2 41->49         started        signatures15 process16 dnsIp17 76 192.168.2.255 unknown unknown 49->76 54 WerFault.exe 49->54         started        56 vbc.exe 49->56         started        58 vbc.exe 49->58         started        60 vbc.exe 49->60         started        process18
Score:
3%
Verdict:
Benign
File Type:
MSI
Link:
https://malprob.io/report/fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112/
Threat name:
Win64.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 19:42:06 UTC
File Type:
Binary (Archive)
Extracted files:
38
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rvlsopv6llpclfr5w7cxk6vwganrubw7qftpj37pbgryuqweeja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240129-ygd4tahdg2/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Malware family:
DarkGate
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc6ab939f5f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkGate

zip 004dc00f66098d37167a52a7fc0814f497d30814dc00a8da7083a4765510d79a

DarkGate

Microsoft Software Installer (MSI) msi fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

(this sample)

  
Dropped by
SHA256 004dc00f66098d37167a52a7fc0814f497d30814dc00a8da7083a4765510d79a
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473497/
  
Dropped by
MD5 56453f4255cf8b57ecebab1bb1c41589

Comments