MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
SHA3-384 hash: dff7c012fedfc76ace34cf131c4fe71a9d5641f88aa1a16b8a7f1d50cfe6ac0432a7cdbcd93f96dc41123c22d658e7b8
SHA1 hash: 9b12e2980bbff505c7bfa3603b60e27b0a8ae2c5
MD5 hash: 4b64dabf31dd95658850c8406d8ddb50
humanhash: emma-montana-yankee-sixteen
File name:UB04 invoices.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:860'096 bytes
First seen:2022-12-29 22:17:38 UTC
Last seen:2023-01-06 01:17:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:WYRe6LnbzJMPIGkx/s/yyRhA4poSXM6/zynUy8oecYFy:WYYChMMQyQhJbzz3jTFy
Threatray 260 similar samples on MalwareBazaar
TLSH T19A05F1F87A949377DC144AB0F73FC7998E317D6A14E812A63B8A33586071191FE07A78
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0d0d8d4d4d8d0e0 (7 x DarkCloud, 5 x AgentTesla, 4 x Formbook)
Reporter Anonymous
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UB04 invoices.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 22:18:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4f18a68-c6cc-4d16-97ba-8dd5a120ba89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Rogue.0hr.20221227-0137.UNOFFICIAL
Create hunting rule

Win.Trojan.Generickdz-9902201-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll zusy
Link:
https://www.filescan.io/uploads/63ae121bdde391056ac0ae26/reports/664b6fdf-09aa-4935-ab67-3b04c4921be2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f48117a-dd10-4ee5-a47a-1f64ca03b0e9
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142949
Signature
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775679 Sample: UB04 invoices.exe Startdate: 29/12/2022 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected DarkCloud 2->48 50 Yara detected Generic Dropper 2->50 52 Initial sample is a PE file and has a suspicious name 2->52 7 UB04 invoices.exe 19 2->7         started        10 sdpvc.exe 2->10         started        13 custumal.exe 2->13         started        15 2 other processes 2->15 process3 file4 36 C:\Users\user\AppData\Local\...\auxydqto.exe, PE32 7->36 dropped 17 auxydqto.exe 1 2 7->17         started        62 Multi AV Scanner detection for dropped file 10->62 21 WerFault.exe 4 10 10->21         started        23 WerFault.exe 10 13->23         started        25 WerFault.exe 10 15->25         started        27 WerFault.exe 15->27         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roaming\...\sdpvc.exe, PE32 17->34 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 May check the online IP address of the machine 17->56 58 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->58 60 4 other signatures 17->60 29 auxydqto.exe 2 35 17->29         started        signatures8 process9 dnsIp10 40 mail.toliptaba.com 108.167.158.119, 49704, 49717, 49720 UNIFIEDLAYER-AS-1US United States 29->40 42 showip.net 162.55.60.2, 49701, 80 ACPCA United States 29->42 44 192.168.2.1 unknown unknown 29->44 38 C:\Users\user\AppData\...\custumal.exe, PE32 29->38 dropped 64 Creates multiple autostart registry keys 29->64 66 Tries to harvest and steal browser information (history, passwords, etc) 29->66 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a/
Threat name:
Win32.Infostealer.Pycoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-26 00:54:56 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvoyrxcdvkfvrw4rhotshlfkmedpf2xczxufi4jk5vfrm5scdv5a._file
Verdict:
malicious
Similar samples:
20139c79820552c3173bdfd0ff0ae7fefad18bd716bc3383bc1092eba1514e11
DarkCloud
2aa98fcdebacfcc2022da3646a580a2dd170633c310361db86d421a3e55cb2f7
DarkCloud
2cb40ab75643b224448586afb5e342971d2a5f42c07a21138a63ef7b76a3a6e7
DarkCloud
33e9a3c60633f78b16e66b0681de4450ae08364e73ea085c69e4cccfbc642d11
DarkCloud
384f8a72e54ef9ae93b8aaef4915a6bda260a8abda00c57bb38f2766509cdc48
DarkCloud
bef09c4e715063415146af6323755bbc13c1651c3ba5ac6bcd9acd283489cd5b
DarkCloud
d13c17545242ebec91cb81871e789cdfe30918645bb4d79a76458dd88af5e9a7
DarkCloud
ef0978efe6ad97f9267cee4ba1866bd0154a0a5feb48bfd4aa8faaa278c09111
DarkCloud
f69d7601134fb94a23b3273ed59c85bd5b7847f612e878f1b5c0471e0fb6e7ee
DarkCloud
ff6083a7518515494983fb6e6ac2fb8298e953dbb867a37cf00c850c8d27b6c7
DarkCloud
+ 250 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221229-17x1qahe9v/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9ff11ab-69ee-48f8-862b-962af53c0715
Unpacked files
SH256 hash:
544d096545b16b8fad925d02569f357488e12ca11acb33e64b4737557bff4a5d
MD5 hash:
1e3cbaab4ed1697a4a2b784811daa75e
SHA1 hash:
27123aae869b69703cce3c15d586e4bc02de86ee
Link:
https://www.unpac.me/results/50690320-96e8-49b8-9053-0a803ba148ab/
SH256 hash:
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
MD5 hash:
4b64dabf31dd95658850c8406d8ddb50
SHA1 hash:
9b12e2980bbff505c7bfa3603b60e27b0a8ae2c5
Link:
https://www.unpac.me/results/50690320-96e8-49b8-9053-0a803ba148ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments