MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba
SHA3-384 hash: b9321eba3cd86f835621f812d7c0e0ebfdcd776d98e3ee0855b165e3f9f12b4833eb48b247d7b8f4ea7f2f8724977a5f
SHA1 hash: 3208ee10c89b725c7788ee9274c1447aa2e76014
MD5 hash: 6c0f32e532fb25d8ec8fd1fad5259897
humanhash: item-east-crazy-oxygen
File name:AWB#Original BL,Invoice.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:487'527 bytes
First seen:2023-07-31 06:56:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:/YtyzWTkdbEEdWysNbfEoKHRPYwa2Y+hxreqPPPRwpi8:/Yt2W4dbETtcoKHO34xqewpi8
Threatray 65 similar samples on MalwareBazaar
TLSH T1AAA423289AF2C4FBCA132F72D5AA14815FB5F60514B4636E2F946F7CBE13253D80A253
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:DarkCloud exe INVOICE

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB#Original BL,Invoice.exe
Verdict:
Malicious activity
Analysis date:
2023-07-31 07:04:53 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/87841342-db76-451b-8380-64ee4ed40d12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/439325/
Detection(s):
Sanesecurity.Rogue.0hr.20230731-0737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/64c75b404e8e3d763476a156/reports/450c0d50-e044-49b3-b591-12647056fb30/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b159c2e-f8cc-4449-8ec9-1d726e36e9d4
Result
Threat name:
DarkCloud, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1282961
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1282961 Sample: AWB#Original_BL,Invoice.exe Startdate: 31/07/2023 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Multi AV Scanner detection for dropped file 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 8 other signatures 2->33 6 valorised.exe 18 2->6         started        10 AWB#Original_BL,Invoice.exe 18 2->10         started        process3 file4 21 C:\Users\user\AppData\Local\...\ynvripcl.dll, PE32 6->21 dropped 35 Multi AV Scanner detection for dropped file 6->35 37 Detected unpacking (changes PE section rights) 6->37 39 Detected unpacking (overwrites its own PE header) 6->39 47 2 other signatures 6->47 12 valorised.exe 18 6->12         started        23 C:\Users\user\AppData\Local\...\ynvripcl.dll, PE32 10->23 dropped 41 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->41 43 Maps a DLL or memory area into another process 10->43 45 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->45 16 AWB#Original_BL,Invoice.exe 1 20 10->16         started        signatures5 process6 dnsIp7 49 Tries to harvest and steal browser information (history, passwords, etc) 12->49 25 mail.fundosolar.com 94.46.22.1, 49690, 49694, 49695 ALMOUROLTECPT Portugal 16->25 19 C:\Users\user\AppData\...\valorised.exe, PE32 16->19 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-31 06:56:33 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ca3s7t3efdltjhnhdacuzn7gajoaylqwzdqag3vvkzmr3xee565a._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
1f86f42e9b3f949288c425fb5e3a57a6977a0c529e129a84a9c1935e4a2a2482
DarkCloud
5c2f77ce4a869075caec54297208317d3d5c274f8a732f698be0fc51cb81ae6e
DarkCloud
62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d
DarkCloud
6923fdc205daf214ddfdcfc83f398da7646f48d4c3e432b7df373a2d2f5ba1ba
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
ad9af6543f3eda2c556ad005fc4f5b3b3b5298f54312d1fda5354534903f55af
DarkCloud
b49944bb720e52f3f29bce89cda550a1ffaa4387849cbdc4a7be74f7e02a0aea
DarkCloud
d4dacbc0546a45d26b7b9d58836b7905a919155b4063825988500e70c739d1f3
DarkCloud
+ 55 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230731-hqya2seb2y/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
27c697b130c816b682bd8329d344371768a95d276d3d9621051f926f77a3315a
MD5 hash:
acf3e365488622b93250b943f9d34d3f
SHA1 hash:
7bb20829d91fc306e85a7e74d11b786ab0637b5d
Link:
https://www.unpac.me/results/43c2e0e5-bf61-40e5-af44-fb61aff792dc/
SH256 hash:
10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba
MD5 hash:
6c0f32e532fb25d8ec8fd1fad5259897
SHA1 hash:
3208ee10c89b725c7788ee9274c1447aa2e76014
Link:
https://www.unpac.me/results/43c2e0e5-bf61-40e5-af44-fb61aff792dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/10372fcf6428/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 6659ed6a40b06ed276c3b0b7bd98d484e6102436eb1260a88442263a17f061c7

DarkCloud

Executable exe 10372fcf6428d7349da718054cb7e6025c0c2e16c8e0036eb556591ddc84efba

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 6659ed6a40b06ed276c3b0b7bd98d484e6102436eb1260a88442263a17f061c7
Cape
Cape
https://www.capesandbox.com/analysis/439325/
  
Dropped by
MD5 be7d0e9fa2722246f329f1e6a02d0cc5

Comments