MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86
SHA3-384 hash: ca19ec628f4450a91b88c30be26807f2dd0dd8906735300c153f3699427fbe47fd73b9d2c3d11b0e72ff0e96a698876e
SHA1 hash: d055296d7fd791d183bb0f0f76f5ec3cee9f20ba
MD5 hash: 800a0b4b8ddda01cebc470f15c690b7b
humanhash: michigan-charlie-alpha-cola
File name:SecuriteInfo.com.Win32.PWSX-gen.20613.30343
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'048'576 bytes
First seen:2023-05-30 05:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:QLPLaVUH999/2ZVnYKd+13AI02rWTgI+HAfG4xLVQTleQ2ZG:QXBH9+tA13LrWaDOV6UQ2
Threatray 1'918 similar samples on MalwareBazaar
TLSH T1AC252352AF4AD56FC3931F780A4833B4E1FC82E9F971A71B2D4A95A8EB49F0E1041717
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696969714410 (13 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.20613.30343
Verdict:
Suspicious activity
Analysis date:
2023-05-30 05:42:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15d09286-3025-491d-9607-8c261fdfdffa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393272/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20613.30343.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64758c3476149e71a5d4ad48/reports/492e0798-ed62-4191-a984-18957b4965f0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3f2dcc9-ac97-41b8-92cb-157c7ae31321
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244878
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877892 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 6 abadia.exe 3 2->6         started        9 SecuriteInfo.com.Win32.PWSX-gen.20613.30343.exe 3 2->9         started        12 abadia.exe 2 2->12         started        process3 file4 45 Multi AV Scanner detection for dropped file 6->45 47 May check the online IP address of the machine 6->47 49 Machine Learning detection for dropped file 6->49 14 abadia.exe 15 6->14         started        18 abadia.exe 6->18         started        20 abadia.exe 6->20         started        31 SecuriteInfo.com.W...20613.30343.exe.log, ASCII 9->31 dropped 51 Writes or reads registry keys via WMI 9->51 53 Injects a PE file into a foreign processes 9->53 22 SecuriteInfo.com.Win32.PWSX-gen.20613.30343.exe 1 17 9->22         started        25 abadia.exe 1 12->25         started        27 abadia.exe 12->27         started        signatures5 process6 dnsIp7 33 192.168.2.1 unknown unknown 14->33 55 Tries to harvest and steal browser information (history, passwords, etc) 14->55 57 Tries to steal Crypto Currency Wallets 14->57 35 showip.net 162.55.60.2, 49702, 49703, 80 ACPCA United States 22->35 29 C:\Users\user\AppData\Roaming\...\abadia.exe, PE32 22->29 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 05:40:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbhpfyjcgz3knuyv3ko6io2tfbw6ldk2heglnwga544r47xchkda._file
Verdict:
malicious
Similar samples:
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
DarkCloud
1160e9c27f4550464b8426b3490c6735c53be0f3a5a56b4daf1ca13ade039edb
DarkCloud
174ed156f6f1c67a8b09b72ab463b69c2d9aae053a5dffb6d4630bdea6308153
DarkCloud
3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
DarkCloud
5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b
DarkCloud
605f71ec40753fc1ed109e605c82d7817754acf6f2ad10adf0699aec99173609
DarkCloud
a2568c55311566d7907ad76b9b833d696ca45eb06b06e581a1e673d4442c613e
DarkCloud
a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
DarkCloud
d9880865beba3895d3079082b5e59ab582559e1ac49aa21a2588db39132a5246
DarkCloud
ec1d8e37579205e9a77b181f281dfac637d28a5a446a03327698b8004e33249c
DarkCloud
+ 1'908 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230530-gcv34afg8t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6267068129:AAE4AO_gQGAeEakYl26r7KthrUjdWAdy5c0/sendMessage?chat_id=1909112828
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
SH256 hash:
1365c4cd239fb76d18543dbcd330f72803f4cd95dade7ab4e8be4c9d89aad495
MD5 hash:
e3815d0d4e153d91707bdfea9adc6030
SHA1 hash:
5df645c1cd5570a989e2756c52662908f9383332
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
SH256 hash:
f73127c47fefaf334aa5fe613bcc8a410018fc5115db1e6955361e1e47459358
MD5 hash:
19767a61067f67a02718fb0dda940b60
SHA1 hash:
d63eb4a2b6497954de68d0bf6073b9dd04023da6
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
4289a1eeae4ff309e64235a6540d47f5b8f77cc98cfc517c631e3b7966c09566
MD5 hash:
e1fea321b94c2495a73f0fc04e924068
SHA1 hash:
4cdf94772c3046df3dad9971df18a0fe5b1fd7c4
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
SH256 hash:
104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86
MD5 hash:
800a0b4b8ddda01cebc470f15c690b7b
SHA1 hash:
d055296d7fd791d183bb0f0f76f5ec3cee9f20ba
Link:
https://www.unpac.me/results/c73f7985-7b89-45ee-8ab0-9921f9b3be82/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/104ef2e12236/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393272/

Comments