MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b
SHA3-384 hash:	3309e9886216dcc080725609c4e16ba1031348bdac521035e34c09bf4850eb2b9b9eac8238298932607e87cdf7129027
SHA1 hash:	7c99842b77533063b7fe57f787849e84084566fe
MD5 hash:	963bc16dc6f4b1372c6cc999cd434d2b
humanhash:	may-lemon-twenty-ack
File name:	188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	1'513'472 bytes
First seen:	2025-09-05 13:28:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:sjLgPyC/bDRGAZ/xOftanz8YZJetKdgG:scDzFGcE48YZJN
TLSH	T112656B9463D5BD04C53F37753768B05483F2E8DBAAA1C20F0DD565DB37B2A412F82AA2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b

Verdict:

Malicious activity

Analysis date:

2025-09-05 23:24:06 UTC

Tags:

httpdebugger tool auto-reg

Link:

https://app.any.run/tasks/54421bfb-d270-45fe-ba8a-4058ed2b0bfd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25750/

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bae62a3e988eb6ab83cb66

Tags:

micro shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Running batch commands

Launching a process

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger obfuscated obfuscated obfuscated snake vbnet

Link:

https://www.filescan.io/uploads/68baf9d1a64010de766e3e08/reports/e6c12e56-8aa7-45dd-98e4-b8a5803eb7bf/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-27T08:54:00Z UTC

Last seen:

2025-08-27T08:54:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7b3554c0-3b66-4d17-8402-b40fecf92451

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b

Verdict:

inconclusive

YARA:

9 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/963bc16dc6f4b1372c6cc999cd434d2b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b/

Threat name:

ByteCode-MSIL.Trojan.Kepavll

Status:

Malicious

First seen:

2025-08-27 11:41:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dcfxmhl5zktw6ekrpyprm5kipvqspugzikzauvvf5jasook4k4nq._file

Result

Malware family:

darktortilla

Score:

10/10

Tags:

family:darktortilla crypter discovery loader persistence

Link:

https://tria.ge/reports/250905-r71beacl21/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Adds Run key to start application

Executes dropped EXE

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9b8ced67-603a-4f8e-b9f8-59e7f0df33eb

Unpacked files

SH256 hash:

003ddf8ddfc7afbc21df8ab9dd223df737b6ec66d1ff65ffc8d1f54a43ae7a2c

MD5 hash:

d344219cdf67ca2902224dfaa2e98224

SHA1 hash:

10a96c279c505812124da69fee75b18cceb9e64d

Link:

https://www.unpac.me/results/3c182672-9fb4-4b56-960d-5710549bf2cf/

SH256 hash:

0ae7e07ee3cccdeabca62f269707faf7b33510824a1bb207c9c75b3599202e31

MD5 hash:

955b6cc71d04b0ec8a412e9f4e48be08

SHA1 hash:

86365c21466979c60868165a377141dba4dac33b

Link:

https://www.unpac.me/results/3c182672-9fb4-4b56-960d-5710549bf2cf/

SH256 hash:

188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b

MD5 hash:

963bc16dc6f4b1372c6cc999cd434d2b

SHA1 hash:

7c99842b77533063b7fe57f787849e84084566fe

Link:

https://www.unpac.me/results/3c182672-9fb4-4b56-960d-5710549bf2cf/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/188b761d7dca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/188b761d7dcaa76f11517e1f1675487d6127d0d942b20a56a5ea4127395c571b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample