MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856
SHA3-384 hash:	fec9c991bf5d35c91252e6dbfcbdd1f07e6b5533f3875c1eca62836c9606e0fca5571ff015ab93d2e10776653cb5d016
SHA1 hash:	bf923733e89ec4b4ba68aa799c5db7a67a079ea1
MD5 hash:	83fff77f32bbe40d5a36f62cb87fc4c2
humanhash:	low-rugby-mars-utah
File name:	08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	383'488 bytes
First seen:	2023-02-06 13:31:02 UTC
Last seen:	2023-02-06 16:06:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	94d5b2fb18855f1a89277d01a41b2b73 (2 x DarkCloud)
ssdeep	6144:C+Y+IWm58KXIs/4/unIVaKQryNvvDtiXpg+aeNSo754mWUgUqIBo4yHWBabJI8d2:C+Y+IWm58KXzXpg+aeNSo7NNg7IO4ypO
Threatray	134 similar samples on MalwareBazaar
TLSH	T162845C2BFA00392AF467C5B1A6D5A3176C646D3A1A80AC1BF7819F8935356C3B5F031F
TrID	51.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 16.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 16.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 4.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	06f692c2529ab2d2 (5 x DarkCloud, 2 x a310Logger, 2 x Floxif)
Reporter	adrian__luca
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856

Verdict:

No threats detected

Analysis date:

2023-02-06 13:30:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/19b2f0a2-9e4c-4e8d-ae17-e489158d0632

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360875/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hacktool networm packed stealer zbot

Link:

https://www.filescan.io/uploads/63e10119905a5ac3b9098d07/reports/4944209b-1e90-4d19-b37d-37a0f6562b8f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/66fcabc1-f8a5-4440-abe0-169fe36ef70e

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1166662

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-02-06 13:32:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bdzvl7f63ov6fzwebtrhjbqus4yusxdqmrzs72c7vifnqehqpbla._file

Verdict:

malicious

DarkCloud

209796f7defbaddb78d4068d6dcb5c2bb81508987eb3a07090513d5171cc9e69

DarkCloud

466424efee4296b00d98e1677b8f0ec8e20362cb2306a97a6272385152ca731a

DarkCloud

61e24fa304b102fc323770b791f3d9bae4b3740a802e3ae3624824effc432e20

DarkCloud

7c9b76501eecbdb69cbb772d949560a63312a7c714d685a4767360474fe7abe4

DarkCloud

8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e

DarkCloud

89893824aeb1a646e9a6eaa776a21550d6b0724ff5448b9a6aeafc63888a3728

DarkCloud

97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a

DarkCloud

e59bfbd9a59b19bdfc2c7435858396d1ec99e5ddb5cc59c3c98e8c2e1bd5c947

DarkCloud

+ 124 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud stealer

Link:

https://tria.ge/reports/230206-qsdy7aea87/

Behaviour

Suspicious use of SetWindowsHookEx

DarkCloud

Unpacked files

SH256 hash:

08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856

MD5 hash:

83fff77f32bbe40d5a36f62cb87fc4c2

SHA1 hash:

bf923733e89ec4b4ba68aa799c5db7a67a079ea1

Link:

https://www.unpac.me/results/2d87656d-16ff-4f1d-b324-b1e885177e6e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.69

Link:

https://yomi.yoroi.company/submissions/08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360875/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample