MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a
SHA3-384 hash: 341af38f1db01418d6d0143b9faa68cc24bec3b2b56994f7361edccc338abd4a1be13afd00f19a151908d070b0ae3283
SHA1 hash: 7f30d34255883f95132518f5e2499e98c3947fab
MD5 hash: 91d0cb3a4189b071afe59020f715453b
humanhash: tennis-pennsylvania-victor-minnesota
File name:MSVCP140.dll
Download: download sample
Signature DarkCloud
Create hunting rule
File size:8'001'536 bytes
First seen:2025-05-12 09:29:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c9e90543ddd327c8db34b27e4cbcd0b (2 x DarkCloud)
ssdeep 98304:rjeiaxG5IhnxiwZVfY3fQMA1NC1ueDcXg8j:Peiaq4xiidY3YRC1uNw
Threatray 21 similar samples on MalwareBazaar
TLSH T1E386AE19A3A400B1E87BDB74CA56C333DAB07D929735D10F0999F2061F73A629B2F725
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MSVCP140.dll
Verdict:
Malicious activity
Analysis date:
2025-05-12 09:48:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98dbec19-b6c5-4cd8-9dc1-c31902370d48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.2825.15465.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6821c11ee16384d6a703c38c
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypto expand fingerprint lolbin masquerade microsoft_visual_cc msbuild packed remote
Link:
https://www.filescan.io/uploads/6821bfb80b64e174c422bf01/reports/304cb136-00e3-4af0-aa8b-1dd6462f5365/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e5aad77-b66a-4864-9605-d30359c11f8e
Result
Threat name:
Codoso Ghost, Hancitor
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1687732
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Windows Binaries Write Suspicious Extensions
Writes to foreign memory regions
Yara detected Codoso Ghost
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1687732 Sample: MSVCP140.dll.exe Startdate: 12/05/2025 Architecture: WINDOWS Score: 96 49 api.msn.com 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected Codoso Ghost 2->53 55 Yara detected Hancitor 2->55 57 3 other signatures 2->57 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        12 rundll32.exe 241 8->12         started        16 rundll32.exe 8->16         started        18 34 other processes 8->18 file6 20 rundll32.exe 224 10->20         started        31 C:\Users\user\SystemRootDoc\dwm.exe, PE32+ 12->31 dropped 33 C:\Users\user\SystemRootDoc\Atuserer.exe, PE32+ 12->33 dropped 43 363 other files (none is malicious) 12->43 dropped 59 Drops PE files with a suspicious file extension 12->59 61 Drops PE files with benign system names 12->61 35 C:\Users\user\SystemRootDoc\Bubbles.scr, PE32+ 16->35 dropped 37 C:\Users\user\SystemRootDoc\usererLib.dll, PE32+ 16->37 dropped 45 150 other files (none is malicious) 16->45 dropped 39 C:\Users\user\SystemRootDoc\format.com, PE32+ 18->39 dropped 41 C:\Users\user\...\gatherNetworkInfo.vbs, ASCII 18->41 dropped 47 345 other files (none is malicious) 18->47 dropped 63 Writes to foreign memory regions 18->63 65 Allocates memory in foreign processes 18->65 67 Injects a PE file into a foreign processes 18->67 signatures7 process8 file9 23 C:\Users\user\SystemRootDoc\csrss.exe, PE32+ 20->23 dropped 25 C:\Users\user\SystemRootDoc\chcp.com, PE32+ 20->25 dropped 27 C:\Users\user\SystemRootDoc\dscproxy.dll, PE32+ 20->27 dropped 29 462 other files (none is malicious) 20->29 dropped
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-05-04 12:47:45 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bld6647no6t3ay3sylnlwutdfupghcjmgcgleo2bld6fkz5y3y5a._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a
DarkCloud
2037a021ebdbb489ac08f09e6e724412d666ade3dd13d1a13d7e0140203205e9
DarkCloud
61959baf831b4d2542347c0a7545eef5faaa387b3c9a1bc57f6481d994e245e3
DarkCloud
a52df1ec9a3db746a5753efd4cf559b9a11979c792cf1238f9f97de1fca49a81
DarkCloud
ad13915786597f9701d0d810826195ef5555ce8bba5407f285ca19339c246214
DarkCloud
e2df7bf51d33fd912f88079f4ed561e7a2607112243261762428ee02fcb933c8
DarkCloud
error
DarkCloud
+ 11 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery persistence stealer
Link:
https://tria.ge/reports/250512-lgq26ahp7v/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
DarkCloud
Darkcloud family
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b12ded77-45f1-4dde-9702-9d303b7fa1b4
Unpacked files
SH256 hash:
0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a
MD5 hash:
91d0cb3a4189b071afe59020f715453b
SHA1 hash:
7f30d34255883f95132518f5e2499e98c3947fab
Link:
https://www.unpac.me/results/fe99aef6-ab38-4bab-aa2b-cdc6c9a40c98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0ac7ef73ed77a7b06372c2dabb52632d1e63892c308cb23b4158fc5567b8de3a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments