MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc
SHA3-384 hash:	1ec545d347d4c8f21e1e806c2b068a60a79781b1f597aca94a9b595d2e6b3ba9b063eb6a9e735d2938b7b366b9efdbda
SHA1 hash:	a0da7aa7d75793d960fb688975fc1b635aef2559
MD5 hash:	a3812ff62d398091e764bcaf6db6c235
humanhash:	coffee-salami-edward-mockingbird
File name:	Error en los datos de pago (Pago BBVA).exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	32'256 bytes
First seen:	2025-08-23 08:32:48 UTC
Last seen:	2025-08-25 08:22:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:Ay2jOFxycfBlMd336362l5kysNh2dNAj/x:5qazTM2do
TLSH	T1F3E2D707BB9952B1C6505B3EC4A7A8000334D992A753FFCF3B4B636A9803F7AE54164B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	threatcat_ch
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Error en los datos de pago (Pago BBVA).exe

Verdict:

Malicious activity

Analysis date:

2025-08-23 08:33:45 UTC

Tags:

auto-startup stealer evasion darkcloud upx

Link:

https://app.any.run/tasks/c0a4416b-9fbc-4344-a3d6-2be50becdc09

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23132/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a97ce4e9d9dbcfd96d3334

Tags:

virus micro msil

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

net_reactor obfuscated obfuscated packed

Link:

https://www.filescan.io/uploads/68a97ced4a87ed796768f7ec/reports/ecedd856-5413-4004-9ff4-13496384c9cc/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-22T17:44:00Z UTC

Last seen:

2025-08-22T17:44:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b4a8aaac-3385-4ef6-b0bf-d0fc07708cdc

Result

Threat name:

DarkCloud, PureLog Stealer, ResolverRAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1763519

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected DarkCloud

Yara detected Generic Dropper

Yara detected PureLog Stealer

Yara detected ResolverRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.70 Win 32 Exe x86

Link:

https://app.malva.re/file/a3812ff62d398091e764bcaf6db6c235

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc/

Verdict:

Malicious

Threat:

Family.DARKCLOUD

Link:

https://tip.neiki.dev/file/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-08-22 21:37:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bepcord2ioopn3nwp56tbmsvgfld23omim2ikaw6pzfasjnff7oa._file

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery stealer

Link:

https://tria.ge/reports/250823-kf6ksaar4y/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Drops startup file

DarkCloud

Darkcloud family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6b56c28-af78-4abf-b456-387199d4cc0f

Unpacked files

SH256 hash:

091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc

MD5 hash:

a3812ff62d398091e764bcaf6db6c235

SHA1 hash:

a0da7aa7d75793d960fb688975fc1b635aef2559

Link:

https://www.unpac.me/results/5d59617f-d71c-4c23-abfc-88c6048bcf2a/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/091e27447a43/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/091e27447a439cf6edb67f7d30b25531563d6dcc43348502de7e4a0925a52fdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)