MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee
SHA3-384 hash:	ddf43b3f21b7f2ef8f9dff53daa936377e888bf8fda85533fa7d9588de446c0bc5045ef0098600bc2b03f040a3015414
SHA1 hash:	65c9dfa7c1613bf29f7fdfa8b2e810dd10d912a8
MD5 hash:	c081be931853c2aa2946875ce6451e83
humanhash:	jupiter-nuts-april-april
File name:	BBVA.exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	2'648'576 bytes
First seen:	2025-09-18 06:44:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fdfe7fa6fe4460148cc13232a4b36c71 (1 x DarkCloud, 1 x DiamotrixClipper)
ssdeep	24576:1EGmzvklH4GBW3TPwffCQIA5r9/mDzWibxxSJXkFx9d/aPjiyrGj9W91io+LQijc:jMLwXJIA5SWIxwpQf/azr89WdYran3
TLSH	T10DC5BE25FC36D189ECE38071BF2AD211E5222D37DF28226B91DC4D900565DEEB62E17B
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	abuse_ch
Tags:	BBVA DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BBVA.exe

Verdict:

Malicious activity

Analysis date:

2025-09-18 07:35:13 UTC

Tags:

stealer evasion darkcloud smtp

Link:

https://app.any.run/tasks/6433c924-9cdd-47a5-9490-2c4cdc794bc7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/28084/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cbaabd88b954439247a39f

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Creating a window

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68cbac2173287948292e6941/reports/885a961d-3c52-4d2a-bbcd-b3f32770404a/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-09-17T13:50:00Z UTC

Last seen:

2025-09-17T13:50:00Z UTC

Hits:

~10000

Link:

https://opentip.kaspersky.com/0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/354f458a-d12c-4b4d-bd44-7c6f8452b0d6

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1779794

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected DarkCloud

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/c081be931853c2aa2946875ce6451e83

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee/

Threat name:

Win64.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-09-17 20:38:16 UTC

File Type:

PE+ (Exe)

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bwnsymau5tmmj36lq53e74smqt2b4top5u4fh2pcxmosb6kphpxa._file

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery stealer

Link:

https://tria.ge/reports/250918-hm5wqabq8v/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

DarkCloud

Darkcloud family

Verdict:

Malicious

Tags:

DarkCloud

YARA:

n/a

Link:

https://app.threat.zone/submission/48032515-8aff-4980-b691-15c719be7bea

Unpacked files

SH256 hash:

0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee

MD5 hash:

c081be931853c2aa2946875ce6451e83

SHA1 hash:

65c9dfa7c1613bf29f7fdfa8b2e810dd10d912a8

Link:

https://www.unpac.me/results/2bc37f86-54b7-498e-821b-939a34fdb238/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0d9b2c3014ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0d9b2c3014ecd8c4efcb87764ff24c84f41e4dcfed3853e9e2bb1d20f94f3bee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/28084/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample