MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337
SHA3-384 hash: 04fda57a99b3f72f6cc43e861a09fae6490a2f4bd03dfe7cadd77f1a6e5f588d3a4c2fbe39bf379001972339d2db2ced
SHA1 hash: a46a9769247851a122430b059f5a778e4867d984
MD5 hash: 5a8bcfee3089263cff5f5741d04bdc45
humanhash: uniform-aspen-coffee-harry
File name:BBVA PAGO________________________________.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'611'264 bytes
First seen:2025-10-27 09:27:46 UTC
Last seen:2025-11-06 11:20:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PYG70BxGPGZD52AmKBhSHIp7bGt4w5aYET0iXhxQYMWz/HfHHCqFM0WM+nSxTsv6:T0BxGPGZD52ASy1w5NCQWjsiiF4
Threatray 318 similar samples on MalwareBazaar
TLSH T10275D891F4A024B29147A6BC90AE054F8F2931EBE986511FF19C6BC52F1FD82B5C7E43
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BBVA PAGO________________________________.exe
Verdict:
No threats detected
Analysis date:
2025-10-27 09:36:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/202ca18d-cb4a-4bcd-9127-c6d2f0ff8d49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34265/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ff3b2e6c859164aa652cb1
Tags:
autorun micro virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Creating a window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Setting a single autorun event
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-24T11:52:00Z UTC
Last seen:
2025-10-29T07:09:00Z UTC
Hits:
~10000
Detections:
HEUR:Backdoor.Win32.Androm.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Inject.sb VHO:Trojan-PSW.Win32.Agent.gen Trojan-Spy.Agent.SMTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agentb.sb Trojan.MSIL.Dnoper.sb Trojan-Downloader.Agent.TCP.Download Trojan.Agent.HTTP.C&C Trojan-PSW.Win32.Stelega.sb Trojan-PSW.MSIL.PureLogs.sb Trojan.MSIL.Agent.sb HackTool.ReconScan.TCP.ServerRequest not-a-virus:PDM:AdWare.Win32.Vopak.a NetTool.PlainTextCredentials.SMTP.C&C
Link:
https://opentip.kaspersky.com/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dcfbca2d-52e6-4b62-b2b6-0a15c3018bba
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802274
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802274 Sample: BBVA PAGO__________________... Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 41 showip.net 2->41 43 energytulcea.ro 2->43 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 12 other signatures 2->55 8 BBVA PAGO________________________________.exe 15 5 2->8         started        13 wscript.exe 1 2->13         started        15 flowerlessness.exe 2->15         started        17 flowerlessness.exe 2->17         started        signatures3 process4 dnsIp5 47 energytulcea.ro 185.171.186.168, 443, 49690, 49693 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 8->47 35 C:\Users\user\AppData\...\InputBlockSize.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\InputBlockSize.vbs, ASCII 8->37 dropped 39 C:\...\InputBlockSize.exe:Zone.Identifier, ASCII 8->39 dropped 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->67 69 Writes to foreign memory regions 8->69 71 Injects a PE file into a foreign processes 8->71 19 InstallUtil.exe 1 16 8->19         started        73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->73 24 InputBlockSize.exe 14 2 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        file6 signatures7 process8 dnsIp9 45 showip.net 162.55.60.2, 49691, 49695, 80 ACPCA United States 19->45 33 C:\Users\user\AppData\...\flowerlessness.exe, PE32 19->33 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->57 59 Tries to steal Mail credentials (via file / registry access) 19->59 61 Multi AV Scanner detection for dropped file 24->61 63 Writes to foreign memory regions 24->63 65 Injects a PE file into a foreign processes 24->65 30 InstallUtil.exe 12 24->30         started        file10 signatures11 process12 signatures13 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->75 77 Tries to steal Mail credentials (via file / registry access) 30->77 79 Tries to harvest and steal browser information (history, passwords, etc) 30->79
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337
Verdict:
inconclusive
YARA:
13 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.41 Win 32 Exe x86
Link:
https://app.malva.re/file/5a8bcfee3089263cff5f5741d04bdc45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337
Threat name:
ByteCode-MSIL.Trojan.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-24 15:09:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
61
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxq3yukbp72s3pmn5iatptrdbvxot4hm6xelqoisrcwexz7uam3q._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
04bb87af9d457db9e52f561272e1702ec4df1c9c569a3c3c1d67f57dec95a5ae
DarkCloud
119fc86e6162b86de92c1e1079a7542011f21ecca441cea21fd5989381412074
DarkCloud
2c3a611bea6cc4b910ba984a106510c25cfd40435ebdc45df46611603e0c1118
DarkCloud
34159f583493176fa487b30736078ffbf9394ecc7b3af5386e146d0144c26117
DarkCloud
353b1688323991c3f115a38fad20b8e7056c5ce6aa79fa0f1866fc4da825f109
DarkCloud
6ae5bc7d9246280c099573e968176fe7ce17dc2f3d673a4d0ab03f5022a2b86e
DarkCloud
bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
DarkCloud
error
DarkCloud
+ 308 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251027-lfrmasb16f/
Behaviour
Suspicious use of AdjustPrivilegeToken
Program crash
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2257ab25-4e0e-4af7-8947-1fb122a8bc2c
Unpacked files
SH256 hash:
0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337
MD5 hash:
5a8bcfee3089263cff5f5741d04bdc45
SHA1 hash:
a46a9769247851a122430b059f5a778e4867d984
Link:
https://www.unpac.me/results/fc2f5c14-30e9-42fa-92ba-6ee6a1d6ee02/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0de1bc51417f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0de1bc51417ff52dbd8dea0137ce230d6ee9f0ecf5c8b8391288ac4be7f40337

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34265/

Comments