{ "type": "MD5", "indicator": "62a705c41fd982f241d348e11b65fca9", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "62a705c41fd982f241d348e11b65fca9", "validation": [], "base_indicator": { "id": 3889076895, "indicator": "62a705c41fd982f241d348e11b65fca9", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "683 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "666aff8b28f34d845ca6a7d2", "name": "ACTIVIDAD MALICIOSA | Relacionada DarkGate 13-06-2024", "description": "DarkGate es una herramienta vers\u00e1til de malware que ha estado presente desde al menos 2018, con su variante m\u00e1s reciente emergiendo en julio de 2023. Las versiones antiguas se propagaban principalmente a trav\u00e9s de correo no deseado y sitios de Torrent, centr\u00e1ndose en usuarios de habla hispana en Europa. La \u00faltima iteraci\u00f3n de DarkGate se ha observado utilizando t\u00e9cnicas de malvertising, envenenamiento de motores de b\u00fasqueda y campa\u00f1as de spam.\n\nDarkGate implementa varios mecanismos anti-detecci\u00f3n y anti-an\u00e1lisis, como ofuscaci\u00f3n, capacidades anti-VM (detecci\u00f3n al ejecutarse en una m\u00e1quina virtual) y exclusi\u00f3n de detecci\u00f3n de Microsoft Defender Antivirus. Este malware se oculta en el Administrador de tareas de Windows y permanece invisible al inicio, incluso para herramientas avanzadas.", "modified": "2024-06-13T14:17:47.190000", "created": "2024-06-13T14:17:47.190000", "tags": [ "abuse elevation", "access token", "manipulation", "ta0005", "ta0006", "setgid", "bypass user", "account control", "sudo caching", "create process" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate - S1111", "display_name": "DarkGate - S1111", "target": null } ], "attack_ids": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "716 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/", "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Darkgate - s1111" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "683 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "666aff8b28f34d845ca6a7d2", "name": "ACTIVIDAD MALICIOSA | Relacionada DarkGate 13-06-2024", "description": "DarkGate es una herramienta vers\u00e1til de malware que ha estado presente desde al menos 2018, con su variante m\u00e1s reciente emergiendo en julio de 2023. Las versiones antiguas se propagaban principalmente a trav\u00e9s de correo no deseado y sitios de Torrent, centr\u00e1ndose en usuarios de habla hispana en Europa. La \u00faltima iteraci\u00f3n de DarkGate se ha observado utilizando t\u00e9cnicas de malvertising, envenenamiento de motores de b\u00fasqueda y campa\u00f1as de spam.\n\nDarkGate implementa varios mecanismos anti-detecci\u00f3n y anti-an\u00e1lisis, como ofuscaci\u00f3n, capacidades anti-VM (detecci\u00f3n al ejecutarse en una m\u00e1quina virtual) y exclusi\u00f3n de detecci\u00f3n de Microsoft Defender Antivirus. Este malware se oculta en el Administrador de tareas de Windows y permanece invisible al inicio, incluso para herramientas avanzadas.", "modified": "2024-06-13T14:17:47.190000", "created": "2024-06-13T14:17:47.190000", "tags": [ "abuse elevation", "access token", "manipulation", "ta0005", "ta0006", "setgid", "bypass user", "account control", "sudo caching", "create process" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate - S1111", "display_name": "DarkGate - S1111", "target": null } ], "attack_ids": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "716 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "62a705c41fd982f241d348e11b65fca9", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "62a705c41fd982f241d348e11b65fca9", "found": true, "verdict": "malicious", "file_type": "zip", "file_size": "841674", "md5": "62a705c41fd982f241d348e11b65fca9", "sha256": "8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1", "signature": "DarkGate", "first_seen": "2024-05-14", "last_seen": "2024-05-17", "url_count": "2", "urls": [ { "url": "http://flexiblemaria.com/iinkqrwu", "status": "offline", "threat": "", "date_added": "", "tags": [] }, { "url": "http://91.222.173.186/iinkqrwu", "status": "offline", "threat": "", "date_added": "", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780170251.0654955 }