MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2
SHA3-384 hash: 076b22ee18e7cecc9ee670aea78c61b71e2ea10a18baf383475f1ee59ed167b317ce04f31426ec8bad41c60bb56a20f4
SHA1 hash: b3917a9a91a4d6509c105a10a66e7fb5eeb643cf
MD5 hash: fe77f794ae922e53997da40955af0141
humanhash: failed-fillet-tennessee-eleven
File name:Request Quotation 09800.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:452'885 bytes
First seen:2023-04-12 12:51:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:/YShar6NvoyhgLVGGE6cSL2CjylDOLvemVm2SYdw:/YS+2AydG/FLwqve7sw
Threatray 57 similar samples on MalwareBazaar
TLSH T1F5A4225157A0D1F7DBA61B32523A873329A9D24109F95A970B32EFD93D2A0418F4F3B3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DarkCloud exe Telegram

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request Quotation 09800.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 12:58:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/720db75a-813b-4a55-8f50-6f61e632c2c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381793/
Detection(s):
SecuriteInfo.com.Gen.Variant.Fragtor.256758.26055.17483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77603/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo formbook nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/6436a973bed9852f35ba3081/reports/e15a080a-02d1-4910-b9c0-eaa28126353f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec1fa01d-1eef-4537-be43-36b40025759e
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212659
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-11 23:34:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
12 of 34 (35.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cz2dqx2dd7tp5mjctskbjnftzsjaao2a5knfuggahgm7gjhmqtra._file
Verdict:
malicious
Similar samples:
215f6b10529ab1fabb0bdd0c1094980b581cad69228aa1724465ae4942945efe
DarkCloud
2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd
DarkCloud
3ab507d581b15a3ab4f0069436f49e77d80fb40f00c8218fd5f41815da3b46fa
DarkCloud
51a0bb47c795950136c662cb09a2efd39d2d4c1cdd1d16e1430506d3a6160220
DarkCloud
5f8e2b838a675ecd820088d6c390a7f77cfb86f866648767ef51da2c3481b013
DarkCloud
61bdf1ced40df618fd0eb1a5977024b167471b9eb9b4dc62309481462cd88a33
DarkCloud
630f2becb05a49664975e0561dd7f4a45690c3cc1c039816c5b1961caf0c2980
DarkCloud
d9fb5f10465038710b0e96b46a5e97d2797667c6c07c5246a4d9f49233055ed4
DarkCloud
e1ad02b9c0748d0adf302dea6ec50274153644d8d8967d3945944b6c72390fdd
DarkCloud
+ 47 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230412-p32ybscd43/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6220925905:AAFbd3Et4YQi4C1WTvNkPbMsAOdz5c8giT0/sendMessage?chat_id=5463149861
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/8d84206b-f15b-4627-b248-93a6882bd71c/
SH256 hash:
5bab29c1a861ea970311f06526cde8da92cde3b24319043294410175ef4b5ae3
MD5 hash:
5a209236d1cd0ec140bb7f51441fecd0
SHA1 hash:
a44cffb8165b9347c8ebd31cde4bbe569c1ae552
Link:
https://www.unpac.me/results/8d84206b-f15b-4627-b248-93a6882bd71c/
SH256 hash:
0b3dea8a21acf10b78e9730f219408c6bf366472cae834c1a7aa2fff65db6c39
MD5 hash:
a11ea2c414fd0cf66a3d2491cbea8cf1
SHA1 hash:
b20c2d91285c503dd9f599973affe1b033c0b52c
Link:
https://www.unpac.me/results/8d84206b-f15b-4627-b248-93a6882bd71c/
SH256 hash:
1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2
MD5 hash:
fe77f794ae922e53997da40955af0141
SHA1 hash:
b3917a9a91a4d6509c105a10a66e7fb5eeb643cf
Link:
https://www.unpac.me/results/8d84206b-f15b-4627-b248-93a6882bd71c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 1674385f431fe6feb1229c9414b4b3cc92003b40ea9a5a18c03999f324ec84e2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381793/

Comments