MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
SHA3-384 hash: 1c1a51afcb60e71a7e708846b102f48a7edf455ae793f8b7c231a60212609adb54cb21b73371e2d4d6424b7b8c2736f5
SHA1 hash: c425fdea0cc580e5b50bcc1b18e45ac11a879cd6
MD5 hash: fbcedee23bb560f3b01e95f86a4df505
humanhash: monkey-foxtrot-fillet-carolina
File name:Comprobante de pago.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:52'224 bytes
First seen:2025-08-26 09:12:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:0LgVYwyUj3/3QKIe/rz48K4w8KX4gKsyuwHwf2KK65Ijnr2guDEm8S9Vgqgb:IgVYwlfQIvn8X6/fHHnr2vDZgqm
Threatray 593 similar samples on MalwareBazaar
TLSH T15C332A286BCC9A63C5EA4BBED8D277900774B0B6E70FEB0B298401351D177E69813E57
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Comprobantedepago.exe
Verdict:
Malicious activity
Analysis date:
2025-08-26 09:15:58 UTC
Tags:
auto-startup evasion stealer darkcloud upx
Link:
https://app.any.run/tasks/b8a30253-c421-4ddc-b2c3-9429f4596858

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23613/
Detection(s):
Win.Packed.Msilheracles-10017859-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ad7a7feb163e0ec182bb28
Tags:
smartassembly autorun packed virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/68ad7a952a70220b68d9a002/reports/5461f922-4c46-43ba-b2af-fb95dce1bcf5/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T12:25:00Z UTC
Last seen:
2025-08-21T12:25:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f680bb37-a4c4-460b-afe6-b1ef2d18563e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
Verdict:
inconclusive
YARA:
8 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Link:
https://app.malva.re/file/fbcedee23bb560f3b01e95f86a4df505
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
Threat name:
Win32.Trojan.Genie
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 15:30:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 36 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3vu2v5jhdddt2u5rsn5kv7ykqgofeaxiff2paa3jqk6ilsmbdwq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
DarkCloud
289574c91e6ea859bad69b437b5e803a27299ef7ca4469a691052c1cca1eead1
DarkCloud
4b8732ba48e279bad32a8e2c4f8fa46285b65f8a965e8005a6f991f924e1d9eb
DarkCloud
5eb19df5b8654b6c0879e761ce44bb7fe61727710d96aeac36a0a501efee6159
DarkCloud
7f5b09b2071ce28f9288ecc2d5c30e9d25753b836c219df62f899f05292c0223
DarkCloud
7fcf599838680e41a18f0790c454f3b96b59d9c65878268bb137d2a520ac4d6a
DarkCloud
88b262717657dd4ffbb76a04691859a743d76989fc0a41a3966f6e807923badf
DarkCloud
c74a3e57eaffe14c36fe82c83887e8a1f7943ffffc73c073c616b61d90e43210
DarkCloud
error
DarkCloud
+ 583 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery stealer
Link:
https://tria.ge/reports/250826-k6mklaw1ax/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
Win.Packed.Msilheracles-10017859-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e28be64a-e3c0-4444-8c4b-41d6bf53bb15
Unpacked files
SH256 hash:
0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed
MD5 hash:
fbcedee23bb560f3b01e95f86a4df505
SHA1 hash:
c425fdea0cc580e5b50bcc1b18e45ac11a879cd6
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/eb802581-51c6-45b1-a964-2b1d5ea49955/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0eeb4d57a938/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 0eeb4d57a938c639ea9d8c9bd557f8540ce29017414ba7801b4c15e42e4c08ed

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23613/

Comments


Avatar
Kasibe commented on 2025-08-26 12:17:40 UTC

AgentTesla