MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3
SHA3-384 hash:	e8a0dffdc9dd3f5d22cba6a89c8dfeb61a33730068c325469287f53e7d9b20d6962d0b904520775de7d610ed17ab49a3
SHA1 hash:	e54a7006b3874f3c16342b026acd0c169e0595ef
MD5 hash:	b1d0250f438992f8f851e0fcb9ba2e36
humanhash:	spaghetti-pip-lactose-colorado
File name:	13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	1'108'915 bytes
First seen:	2023-02-03 14:25:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep	24576:9TbBv5rUeTYLAXjXXRQFX8KZmhwA5xRMa2tSim8BpS:XBvYUtQSZiaN2ftpS
Threatray	842 similar samples on MalwareBazaar
TLSH	T121351202BEC25672C4A31D32667ABB20B97D75601F65CEDF63914AA8EE316C0D6307F1
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	adrian__luca
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3

Verdict:

Malicious activity

Analysis date:

2023-02-03 14:25:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d0cc57e8-aeb0-48b9-923b-132a93297f3e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/359935/

Detection(s):

Win.Dropper.Nanocore-9981431-0

Win.Dropper.Nanocore-9984645-0

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Launching a process

Creating a process from a recently created file

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65052/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/63dd197b1c9cbf7d62559af2/reports/ae8b3167-f1f3-4e9a-9a35-42ae0e5f799c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/db3ea02d-b886-44c4-b0a4-1ed0cf5fc6ea

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165156

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Starts an encoded Visual Basic Script (VBE)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-01-30 07:09:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 39 (71.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cpheod5onuhiqqk3ew6x5nrdy2xlxemd5gctyi6tdeq6pi34blzq._file

Verdict:

malicious

DarkCloud

4505a80b468e6816046c95f93fa332409314ec77d790aa07ed68d4b481feed7b

DarkCloud

51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25

DarkCloud

60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38

DarkCloud

64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a

DarkCloud

6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26

DarkCloud

6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d

DarkCloud

ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b

DarkCloud

+ 832 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud persistence stealer

Link:

https://tria.ge/reports/230203-rs2wpabc5s/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

DarkCloud

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/df0ec68d-e634-4e8b-99cb-c41ffbbfeb76/

SH256 hash:

f885a40d63e46e455a4e8afeca78f8a4bb284b3dd9b6403e64c3ea53b142059c

MD5 hash:

d85213d4834ecb6724c1efd5fe73fbeb

SHA1 hash:

0ad545faeade168157d663789fece184a9294a9b

Link:

https://www.unpac.me/results/df0ec68d-e634-4e8b-99cb-c41ffbbfeb76/

SH256 hash:

e829089670a40e00e3de8ac6208f0b7aa44be9e2e5bb144cd36d60b7cd9b51f2

MD5 hash:

985813ab15393516f63e94901a96c9f0

SHA1 hash:

03b2460b59ea558292e2e40f997da07ec7dc31bf

Link:

https://www.unpac.me/results/df0ec68d-e634-4e8b-99cb-c41ffbbfeb76/

SH256 hash:

13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3

MD5 hash:

b1d0250f438992f8f851e0fcb9ba2e36

SHA1 hash:

e54a7006b3874f3c16342b026acd0c169e0595ef

Link:

https://www.unpac.me/results/df0ec68d-e634-4e8b-99cb-c41ffbbfeb76/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/13ce470fae6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/359935/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample