MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9
SHA3-384 hash:	53753f070f0e56e27701969ef9f62547e2042b6be0114b3ce35ea0eaf48433a3c62015ecbe92e8703b25d9174424fd8a
SHA1 hash:	b7d5311163f6fb999f3123e20074915186888b5c
MD5 hash:	f524f0151e3d887addd512f2cd98dada
humanhash:	illinois-fanta-arkansas-charlie
File name:	PO.rar
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	843'978 bytes
First seen:	2023-04-18 13:04:57 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	24576:BNKS8WXlmaOfCSVBun0GP4Mq/m3JOrtYcDZEVEVMniP:JcaOXVBunlP4MmoOxFEVEVMiP
TLSH	T1200533D1B683D2209B7E68A4F91AE9481CF685143592070D1741F4DE73F6CF6AA8BFC0
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	DarkCloud rar

cocaman

Malicious email (T1566.001)
From: "Akramul Alam <akram@royalcapitalbd.com>" (likely spoofed)
Received: "from royalcapitalbd.com (unknown [45.137.22.59]) "
Date: "18 Apr 2023 09:37:04 +0200"
Subject: "Purchases Order"
Attachment: "PO.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	PO.exe
File size:	938'496 bytes
SHA256 hash:	5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b
MD5 hash:	ecfe245fe1b78fff84ba32432734f321
MIME type:	application/x-dosexec
Signature	DarkCloud

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20230418-1032.UNOFFICIAL

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/643e95808ecb3afce931de34/reports/f1f68445-85aa-42bd-8116-fbe0458c9263/overview

Verdict:

Malicious

Labled as:

Mal/DrodRar

Link:

https://www.hybrid-analysis.com/sample/13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmru324iav4qavfcwfdabm2oxzjtvqyvwkc7c4ftbg6b6i3ovdmq._file

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud stealer

Link:

https://tria.ge/reports/230418-tt8fzacf43/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

DarkCloud

Malware Config

C2 Extraction:

https://api.telegram.org/bot6267068129:AAE4AO_gQGAeEakYl26r7KthrUjdWAdy5c0/sendMessage?chat_id=1909112828

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13234deb8805790054a2b14600b34ebe533ac315b285f170b309bc1f236ea8d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.