MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf
SHA3-384 hash: dfbe6dcffc8356c2bc6e4c0a317f55e744728cd48c48076efbe48b2210dcb0d21692371a018b0953bf2df0a8010e0d4b
SHA1 hash: 0a1bba4959ed2bd506639297a7c5b35f9c7751a3
MD5 hash: 2249e3d399a7733067aef479dc450e98
humanhash: alabama-summer-tennis-kitten
File name:Sales Invoices.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:486'684 bytes
First seen:2023-01-05 21:13:36 UTC
Last seen:2023-01-05 22:32:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:RYY5GCJeosavKHQVGlI9XwzHPYU1vS8JyVhk2UtYN1F6S:RYYBJeo+Ug51JWD1N1H
Threatray 286 similar samples on MalwareBazaar
TLSH T189A4238C72A9C91BE5B223301F328F90EEF7FC9549D11BA51BA54F58B9456634F1C381
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a8a7a5898da787b8 (2 x DarkCloud, 1 x AgentTesla)
Reporter mossdinger
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sales Invoices.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 21:14:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73e6bef8-2357-41d4-ab0f-c30aafdd4314

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349807/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.18100.14890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63b73d9d0e926711fd7719b2/reports/9a724a3a-2eef-4a75-8e9b-d822bab6a2dd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8359061f-e714-4602-a146-1515b3230902
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145940
Signature
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778673 Sample: Sales Invoices.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 56 Yara detected DarkCloud 2->56 58 Yara detected Generic Dropper 2->58 60 Executable has a suspicious name (potential lure to open the executable) 2->60 62 3 other signatures 2->62 8 Sales Invoices.exe 19 2->8         started        11 wkahit.exe 1 2->11         started        13 wkahit.exe 1 2->13         started        15 abactinal.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\Local\...\zufpuuhro.exe, PE32 8->50 dropped 17 zufpuuhro.exe 1 3 8->17         started        21 WerFault.exe 4 10 11->21         started        23 conhost.exe 11->23         started        25 WerFault.exe 10 13->25         started        27 conhost.exe 13->27         started        29 conhost.exe 15->29         started        31 WerFault.exe 15->31         started        process5 file6 46 C:\Users\user\AppData\Roaming\...\wkahit.exe, PE32 17->46 dropped 64 May check the online IP address of the machine 17->64 66 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->66 68 Creates multiple autostart registry keys 17->68 70 3 other signatures 17->70 33 zufpuuhro.exe 2 38 17->33         started        38 conhost.exe 17->38         started        40 abactinal.exe 1 21->40         started        signatures7 process8 dnsIp9 52 mail.empoloshotel.co.ke 67.225.192.146, 26, 49703, 49712 LIQUIDWEBUS United States 33->52 54 showip.net 162.55.60.2, 49699, 80 ACPCA United States 33->54 48 C:\Users\user\AppData\...\abactinal.exe, PE32 33->48 dropped 72 Creates multiple autostart registry keys 33->72 74 Tries to harvest and steal browser information (history, passwords, etc) 33->74 42 conhost.exe 40->42         started        44 WerFault.exe 40->44         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 08:33:34 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=anekqljvf3grsvvlas4vxzishitpfctd7wcpc2ouuwv7scib467q._file
Verdict:
malicious
Similar samples:
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
DarkCloud
2aa98fcdebacfcc2022da3646a580a2dd170633c310361db86d421a3e55cb2f7
DarkCloud
2cb40ab75643b224448586afb5e342971d2a5f42c07a21138a63ef7b76a3a6e7
DarkCloud
33e9a3c60633f78b16e66b0681de4450ae08364e73ea085c69e4cccfbc642d11
DarkCloud
bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b
DarkCloud
d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7
DarkCloud
ef0978efe6ad97f9267cee4ba1866bd0154a0a5feb48bfd4aa8faaa278c09111
DarkCloud
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
DarkCloud
ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7
DarkCloud
+ 276 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230105-z3bq9add24/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1702658d-afdd-4f8a-9f8a-9d2603fb9cd9
Unpacked files
SH256 hash:
ec5d02e13e9b94ce3e6aa1de8faafe22282bea74c49d93052b22dedc6dbf68a2
MD5 hash:
5b430f022a94ef54906c067d82820b6e
SHA1 hash:
678b33bf3eed8bade26d44aaca100eb16475c453
Link:
https://www.unpac.me/results/8554eb75-458a-4fe5-8244-0c08c7b437c4/
SH256 hash:
0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf
MD5 hash:
2249e3d399a7733067aef479dc450e98
SHA1 hash:
0a1bba4959ed2bd506639297a7c5b35f9c7751a3
Link:
https://www.unpac.me/results/8554eb75-458a-4fe5-8244-0c08c7b437c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0348a82d352ecd1956ab04b95be5123a26f28a63fd84f169d4a5abf90901e7bf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/349807/

Comments