{
	"id": "42a3a85b-16f9-4a2c-a599-ad5897351572",
	"created_at": "2026-04-06T00:08:45.586884Z",
	"updated_at": "2026-04-10T13:13:09.493153Z",
	"deleted_at": null,
	"sha1_hash": "7b4d0077e78405859371f1744cb209a8792010ca",
	"title": "DarkMegi rootkit - sample (distributed via Blackhole)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 336801,
	"plain_text": "DarkMegi rootkit - sample (distributed via Blackhole)\r\nArchived: 2026-04-05 17:29:22 UTC\r\nUpdate April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to\r\nStopmalvertising to read\r\nThis is a \"DarkMegie\" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article\r\n\"Darkmegi: This is Not the Rootkit You’re Looking For\" by Craig Schmugar, it is anything but quiet and stealthy.\r\nIn fact, it makes so many system changes that it is hard to cover it all in a quick post.\r\nIndeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of\r\ntraffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates\r\nso I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please\r\nshare,  I will link to.\r\nSize: 77312\r\nMD5:  6C8F9658A390C24A9F4551DC15063927\r\nDownload\r\nDownload  (email me if you need the password scheme)  \r\nDownload the modified / created files and analysis data\r\nDownload pcap\r\nC:\\Windows\\System32\\drivers\\com32.sys                9728           4399b8a60977814197feae67c02a7ac2\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 1 of 6\n\nC:\\Windows\\System32\\drivers\\RCX50E3.tmp        26224256    9f32c51764f579512810b7ab3de1a91a\r\nC:\\Windows\\System32\\drivers\\com32.sys              26224256     dd313b92f60bb66d3d613bc49c1ef35e\r\nC:\\Windows\\System32\\com32.dl                           45056            25cfb72df8a30cbb7e6ee852bc31c50f\r\nC:\\Windows\\System32\\RCX5B11.tmp                   31506432     2f00e0927c07bc44d9b79ccbe567f398\r\nC:\\Windows\\System32\\del043.bat                          86               1a1e7855edc0afa6624080d60da8bf44\r\nTraffic\r\nIt is as active as a click fraud or DDoS bot but does not fit these categories.\r\nI am not quite sure what it is doing, please look and us know :)\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 2 of 6\n\nSome of the traffic\r\n[process 8] 65.55.253.27 192.168.254.192 GET\r\n/c.gif?evt=br\u0026rid=4571d83250544049bfc2ee88060f6bc8\r\n\u0026exa=\u0026cts=1334748967640\u0026expac=\u0026fk=W\u0026gp=P\u0026optkey=de\r\nfault\u0026clid=23A3C63D37E16EEA2397C50633E16E45\u0026cp=def\r\nault\u0026di=340\u0026pi=7317\u0026ps=95101\u0026mk=en-us\u0026pn=US+HPMSFT\r\n3Wdefault\u0026pid=6901517\u0026su=http%3A%2F%2Fwww.msn.com%\r\n2Fdefaultwpe3w.aspx\u0026pageid=690151710\u0026ce=1\u0026hl=cplus\r\n\u0026cm=head%3Ecb1\r\n[process 8] 65.54.81.211 192.168.254.192 GET\r\n/i/87/DEC3F3D671E6CC76B09340612A38.jpg\r\n[process 8] 207.46.193.176 192.168.254.192 GET\r\n/action/MSN_Homepage_Remessaging_111808/nc?a=1\r\n[process 8] 207.46.193.176 192.168.254.192 none\r\n[process 8] 208.44.23.25 192.168.254.192 none\r\n[process 8] 208.44.23.25 192.168.254.192 GET\r\n/b?c1=2\u0026c2=3000001\u0026c7=http%3A%2F%2Fwww.msn.com%2F%\r\n3Focid%3Diehp\u0026c9=\u0026rn=1334748958175\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 3 of 6\n\n[process 8] 65.55.239.146 192.168.254.192 GET\r\n/c.gif?udc=true\u0026di=340\u0026pi=7317\u0026ps=95101\u0026lng=en-us\u0026\r\ntp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx\u0026ri\r\nd=4571d83250544049bfc2ee88060f6bc8\u0026rnd=13347489581\r\n76\u0026rf=\u0026scr=1024x768\r\n[process 8] 65.55.239.146 192.168.254.192 GET\r\n/c.gif?udc=true\u0026di=340\u0026pi=7317\u0026ps=95101\u0026lng=en-us\u0026\r\ntp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx\u0026ri\r\nd=4571d83250544049bfc2ee88060f6bc8\u0026rnd=13347489581\r\n76\u0026rf=\u0026scr=1024x768\u0026MUID=23A3C63D37E16EEA2397C5063\r\n3E16E45\u0026cb=1cd1d576b2f13a0\r\n[process 8] 65.54.81.211 192.168.254.192 GET\r\n/i/5E/4B835E56AC3C8535DB16275B4BAF4.jpg\r\n[process 8] 65.54.80.242 192.168.254.192 GET\r\n/i/BB/756A1C963A72E4AFBC36501B512725.jpg\r\n[process 8] 65.54.81.211 192.168.254.192 GET\r\n/i/E2/F757C6DFF15796123FA81CF7DCCF.jpg\r\n[process 8] 65.55.239.146 192.168.254.192 GET\r\n/c.gif?udc=true\u0026di=340\u0026pi=7317\u0026ps=95101\u0026lng=en-us\u0026\r\ntp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3w.aspx\u0026ri\r\nd=4571d83250544049bfc2ee88060f6bc8\u0026rnd=13347489581\r\n76\u0026rf=\u0026scr=1024x768\u0026RedC=c.msn.com\u0026MXFR=23A3C63D37\r\nE16EEA2397C50633E16E45\r\n[process 8] 65.55.239.146 192.168.254.192 none\r\n[process 8] 23.66.231.58 192.168.254.192 GET\r\n/qsonhs.aspx?form=MSN005\u0026q=\r\n[process 8] 23.66.231.58 192.168.254.192 none\r\n[process 8] 65.54.81.185 192.168.254.192 GET\r\n/CIS/77/000/000/000/028/440.swf?fd=www.msn.com\r\n[process 8] 65.54.81.185 192.168.254.192 GET\r\n/CIS/18/000/000/000/024/175.jpg\r\nAutomatic scans\r\nVirustotal\r\nSHA256:     a2c176ef3cc343194207e33acc19d5f8cb083a3c387a0404bd8f9d6bd29cfd6f\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 4 of 6\n\nSHA1:     c1af1fa6937097762824d0db039777ff35577727\r\nMD5:     6c8f9658a390c24a9f4551dc15063927\r\nFile size:     75.5 KB ( 77312 bytes )\r\nFile name:     DarkMegiSample\r\nFile type:     Win32 EXE\r\nTags:     yoda yodaprot\r\nDetection ratio:     34 / 42\r\nAnalysis date:     2012-04-17 08:22:42 UTC ( 1 day, 3 hours ago )\r\nMore details\r\nAntivirus     Result     Update\r\nAhnLab-V3     Dropper/Rootkit.77312     20120417\r\nAntiVir     HEUR/Crypted     20120417\r\nAntiy-AVL     Trojan/Win32.Agent.gen     20120417\r\nAvast     Win32:Malware-gen     20120417\r\nAVG     PSW.Agent.ASED     20120417\r\nBitDefender     Trojan.Generic.KDV.503006     20120417\r\nByteHero     -     20120417\r\nCAT-QuickHeal     TrojanSpy.Agent.bwtk     20120417\r\nClamAV     PUA.Packed.YodaProt     20120417\r\nCommtouch     W32/Heuristic-210!Eldorado     20120417\r\nComodo     TrojWare.Win32.TrojanDownloader.Agent.accn     20120417\r\nDrWeb     Trojan.PWS.Gamania.34539     20120417\r\nEmsisoft     Trojan.SuspectCRC!IK     20120417\r\neSafe     Suspicious File     20120415\r\neTrust-Vet     -     20120417\r\nF-Prot     W32/Heuristic-210!Eldorado     20120416\r\nF-Secure     Trojan.Generic.KDV.503006     20120417\r\nFortinet     W32/Agent.BWTK!tr     20120417\r\nGData     Trojan.Generic.KDV.503006     20120417\r\nIkarus     Trojan.SuspectCRC     20120417\r\nJiangmin     TrojanSpy.Agent.uzc     20120417\r\nK7AntiVirus     Riskware     20120416\r\nKaspersky     Trojan-Spy.Win32.Agent.bwtk     20120417\r\nMcAfee     Artemis!6C8F9658A390     20120416\r\nMcAfee-GW-Edition     -     20120417\r\nMicrosoft     Trojan:Win32/Meredrop     20120417\r\nNOD32     a variant of Win32/CsNowDown.C     20120417\r\nNorman     W32/Troj_Generic.ASBJ     20120416\r\nnProtect     Trojan/W32.Agent.77312.VC     20120417\r\nPanda     Generic Trojan     20120416\r\nPCTools     Downloader.Darkmegi     20120417\r\nSophos     Mal/Packer     20120417\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 5 of 6\n\nSUPERAntiSpyware     -     20120402\r\nSymantec     Downloader.Darkmegi     20120417\r\nTrendMicro     Cryp_Yodap     20120417\r\nTrendMicro-HouseCall     Cryp_Yodap     20120417\r\nVBA32     TrojanSpy.Agent.bwtk     20120416\r\nVIPRE     Trojan-Spy.Win32.Agent\r\nSource: http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nhttp://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html\r\nPage 6 of 6\n\nDownload the Download pcap modified / created files and analysis data \nC:\\Windows\\System32\\drivers\\com32.sys 9728 4399b8a60977814197feae67c02a7ac2\n Page 1 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html"
	],
	"report_names": [
		"this-is-darkmegie-rootkit-sample-kindly.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b4d0077e78405859371f1744cb209a8792010ca.pdf",
		"text": "https://archive.orkl.eu/7b4d0077e78405859371f1744cb209a8792010ca.txt",
		"img": "https://archive.orkl.eu/7b4d0077e78405859371f1744cb209a8792010ca.jpg"
	}
}