MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
SHA3-384 hash: e88cf76edc2c8dd0eb81a31587d893f2d2c3c51b11596ba10dc1fcd76c938d5876c8e42a9efa35ba9d5c6d94391c8205
SHA1 hash: 7ad43cc7224f694995e53325a581e659eabe2e16
MD5 hash: cdcfa8aab8a4766ddb88df4635104d83
humanhash: india-uniform-ten-summer
File name:payment receipts.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'009'664 bytes
First seen:2024-01-31 15:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:FJRsQJVHvu3/mAUf45P3z55KTBmfswlibk:bWgHv0wq50TAfpEk
Threatray 479 similar samples on MalwareBazaar
TLSH T15F25019CB60071DFC82BC57289901C64AA21AC77432BD206A45B35EDAE3DAD7CF195F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 003171630385d500 (6 x Formbook, 5 x RemcosRAT, 1 x DarkCloud)
Reporter malwarelabnet
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8.zip
Verdict:
Malicious activity
Analysis date:
2024-01-31 15:27:13 UTC
Tags:
darkcloud stealer
Link:
https://app.any.run/tasks/886a0aa3-6182-4ec4-8d95-ef8678b83581

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473832/
Detection(s):
Win.Packed.Filerepmalware-10019673-0
Create hunting rule

Win.Packed.Pwsx-10019698-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
loki masquerade packed
Link:
https://www.filescan.io/uploads/65ba61760eab2d16054c10b2/reports/bbb554ee-fc80-4463-bb39-38afa6dd6058/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a647601e-4b21-448d-ac55-18112b6082a4
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384166
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1384166 Sample: payment_receipts.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 7 other signatures 2->46 7 payment_receipts.exe 7 2->7         started        11 UbaskbOLQNa.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\UbaskbOLQNa.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmp2B0D.tmp, XML 7->38 dropped 48 Detected unpacking (changes PE section rights) 7->48 50 Detected unpacking (overwrites its own PE header) 7->50 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 62 2 other signatures 7->62 13 payment_receipts.exe 5 7->13         started        16 powershell.exe 23 7->16         started        18 powershell.exe 23 7->18         started        20 schtasks.exe 1 7->20         started        54 Antivirus detection for dropped file 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Injects a PE file into a foreign processes 11->60 22 UbaskbOLQNa.exe 11->22         started        24 schtasks.exe 11->24         started        signatures5 process6 signatures7 64 Found many strings related to Crypto-Wallets (likely being stolen) 13->64 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        66 Tries to harvest and steal browser information (history, passwords, etc) 22->66 32 WmiPrvSE.exe 22->32         started        34 conhost.exe 24->34         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8/
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2024-01-26 18:34:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqko6cw3ck76avgyl6izntxedg7onj3jegd5qmrzxvpy52dhytea._file
Verdict:
malicious
Similar samples:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
DarkCloud
26172bf74eacd5797e37be94fb26456d12026e061194ef66ba09996c82409294
DarkCloud
2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
DarkCloud
6e94f38fee814023e77c4f2f3f718fd0bdf456974fb7742c03ee17dd2054050c
DarkCloud
+ 469 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240131-sflvdageej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
SH256 hash:
e084c89636033772997fc97260dabc5099e9155fbbaf64f70da95503d4fb048d
MD5 hash:
70d196861a0c9fb47ed06ffee18d8337
SHA1 hash:
50b1fa0843134885629278b55951d1fbe82a25cd
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
SH256 hash:
b320fcf386923829e37498f797cf1bbf74f823fb9e70b2d94e08ae99d398d019
MD5 hash:
c14650b6d051ce6e414865839dfbe41f
SHA1 hash:
43bd6ab024f9a070ee5ff35518a07812504b3de4
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
Parent samples :
844a5da9df7b604b6f85ca154026f32842425c57cdbdcd68cc6dc00d05dd1f29
258d0d5f9ddd5fb732807dd74dbc71f99adb82b82420f193573d01cb5a3a563f
683eb38c67e70e0cf2b9f5b2cb2ecb80dd91abd50539e216de7568512d5087c9
8957582ccd1876780ff5a43336984ee23ff03be1c8184a6ff9797828f52536e1
b2f95f5faf9437b040fdc78d347ce9aca970e2cdcffe877939362210bd685d52
f87afdb24721791be0b5b0a400b20a4f6545f8738b6a6665e1b0d09213c43b5f
85d6eeb46f4f808ab01a7af7e736cecb2e0d68baa4a60c1fa579a42558746de3
781f43e37ca22df3c807e1238d271cebab045e38212a58b5f47406e9ece9e2b1
923cf7d4a3785f11ac119a4a429a46fbcf1ff745d5865ce05efd9ef0a1ccef45
24b2c5278a4d80c22994b4d9727293aa6641ae9947f7ed522b7b5f44fa1f7a63
0bb832320a92ba68c398f71058c99556988795e84f3838ffa8143921c3ed04c7
4ba298859e61cb9c39d9d4a4d556fe6357ce0901d5d4ac6f78e6e15ced75cccb
055df72340a95664035986e6d027055304abed82949af74bb5e230c841a8f8f5
47d396f2913a1a812fa3421d33730da64905cc93d2936d048fc51ec9ea2cabc4
b557e372c22db30990fad3e3226c4ab649d96b40170cb8890ba401d6ec0f3cc6
6e4abc6a114b9b50936426d9eba916fe2a4fa59e9e226ce1c369ffb092d8087d
ff232b508c8bd32a681a0a4737e6028f92538cc923cb67989841644294493b00
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
cd0cb018865b79f3e52d5dd49fb34e2fc0cdeb41feca165cbdd23fda66c2e6ae
a8148f9225500d804ff688e662c4d1c08ab0c7a5575d9cc06feba87eb2afed92
12a594716a14edb8fcc167ca1f5541fcc2bf6f8758be3f072092cb7869bed11e
ef9291504c34bef37e4bd77b57f064beeedfb87295da6e6c5979970986f21c7d
cde87a87ff004bcd031ff14bcaf31f598e4cbc33972fce7adb8b798d80d96723
114322a61e042f61dcd09306c0d19f875e41638452c3bf9a24a6c8251ef5ab72
SH256 hash:
20fb27d1d327a3bd9a235a56a97d6e1fca3016d85255e5b2db59bf9e09fc80a4
MD5 hash:
fe0d498b7675ceffaba4e64a452478cb
SHA1 hash:
296dd4c49db1e597bb4eefc3cdc0195cde6724a8
Detections:
darkcloudstealer
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
SH256 hash:
2b4cf8b51c4caac8a17c239ce12f5722630e9358060986625b0eed5dd9e01017
MD5 hash:
81c9b6f9ce6e6cc93bf89a1218f12e86
SHA1 hash:
1e2b99b28fc38272b81bc336a66c2960259668b6
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
SH256 hash:
0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
MD5 hash:
cdcfa8aab8a4766ddb88df4635104d83
SHA1 hash:
7ad43cc7224f694995e53325a581e659eabe2e16
Link:
https://www.unpac.me/results/d3486251-ed0c-4ac5-80c2-75a6810e21d7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0414ef0adb12/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473832/

Comments