MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
SHA3-384 hash: 7fd9ccb8a67cdf99e5390ca79214364e2d0ddd44c4b5ce5981893c0e79b9e9de5d9834f5f9134e190bc41e1b29a9d8e0
SHA1 hash: 9aedb531b74aa0d72f5306832e8892a2cfa5ed6f
MD5 hash: c17a5cb9ede163355220cd5669b62590
humanhash: twenty-friend-sweet-april
File name:Ziraat Bankası Swift Mesajı (8).exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:862'720 bytes
First seen:2023-04-11 18:51:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bMmzuGAXI9QnL6qOkiLuVAiF7QL6otBn8idumgmvTjXNHcY307QW:b1CGAYAeClVAuQL6UddDv3NHcY307
Threatray 52 similar samples on MalwareBazaar
TLSH T1CF05125C6375ABA5E48C0FF894442842277CA219F0B4DDAC9CE613EB8AB2F11561D3F7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe geo Telegram TUR ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankası Swift Mesajı (8).exe
Verdict:
No threats detected
Analysis date:
2023-04-11 18:58:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5cae15c-6309-43a2-b842-1ab2bbc87fc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381552/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6435ac5408896da610c01b66/reports/2f409f8c-100c-41ff-ae62-5d2b6879a6ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6bd1a9a-cc51-4977-9019-dbc25cfc1a82
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212082
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 07:06:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=botzsyd4gje3c7fuosttujk3b44nycpakutclderitrdecnruana._file
Verdict:
malicious
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
DarkCloud
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
DarkCloud
20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500
DarkCloud
44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc
DarkCloud
67987af9c454a2d990d14f53a2fe1763447e58ed1a5d6deec4d41f258ff6772d
DarkCloud
7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
DarkCloud
bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
DarkCloud
ce33f260e52f5ea18962a5993e4275c41f527004b57ccc48d518b4ad3b310850
DarkCloud
d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727
DarkCloud
e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2
DarkCloud
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230411-xh2qtsed95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
59689a9178b4bf906bb5f2fa968bf4c7805e02d164864289b8c9677099b26636
MD5 hash:
73fd169ad81224fcea2136fc52bb2d7d
SHA1 hash:
800c14304f687a9132e4fbe182e04d63e623bd8f
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
24018be6dc38c7d10f43ff79124a1bf744579ceb0e18f1ce600fbc1a9ab6ee99
MD5 hash:
343eb34fb3a7a4888e8e21bc1f060458
SHA1 hash:
80a3ae2c0617d920816996f69db48a759ab7510b
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
1dd74a2d0f7a1d81d51f70abc654a455e35ccdc369fc1c48fc3f595a7ba3fd08
MD5 hash:
c204d03924e94d5b8e77c050bef37907
SHA1 hash:
548356d107a5ca8d73f3f908b8122a86a57d0d65
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd
MD5 hash:
d52609f7faa0c91840a49a848a476000
SHA1 hash:
268d289f07cd7f58d0c4db7d785fa350a3ed431a
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
SH256 hash:
0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
MD5 hash:
c17a5cb9ede163355220cd5669b62590
SHA1 hash:
9aedb531b74aa0d72f5306832e8892a2cfa5ed6f
Link:
https://www.unpac.me/results/d1e4a2d3-3c10-4c5e-af0e-f8aa615e1826/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.89
Link:
https://yomi.yoroi.company/submissions/0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381552/

Comments