MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a
SHA3-384 hash:	0813b11e0923434eed0f3857e8d7e5f4203084f86df601e2f29cbc837dc6bf0b92ac265b4d0472d5af491b385c9ce0ae
SHA1 hash:	3f273412895427167ce52d659fac3716536c876e
MD5 hash:	c5f4d7a0730518088702ef973e79512a
humanhash:	august-cat-william-finch
File name:	orden de cotización.exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	1'126'151 bytes
First seen:	2023-02-14 18:22:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep	24576:9TbBv5rUeTzLAXjXXRQFX8KZZMqZExRMa2tSim8BpM:XBvzUtQSDN2ftpM
Threatray	867 similar samples on MalwareBazaar
TLSH	T1583512027AC256B2D4731E366A7A6B10797D7A600FA9CFDF63D04A59E9312C0D6307F2
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

orden de cotización.exe

Verdict:

Malicious activity

Analysis date:

2023-02-14 18:26:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/df754f45-0214-4607-b605-e6a0bd81c094

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/365940/

Detection(s):

Win.Dropper.Nanocore-9981431-0

Win.Dropper.Nanocore-9984645-0

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Launching a process

Creating a process from a recently created file

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/69770/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware nanocore overlay packed packed setupapi.dll shdocvw.dll shell32.dll

Link:

https://www.filescan.io/uploads/63ebd18a6ea97adc8fc21fb3/reports/518a0c87-59a4-4b9f-b2d6-0fa8b987a8f0/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7b4d5830-e457-41eb-8b0b-ce0d8ea0d435

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175474

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-02-14 15:07:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dfhxkukh5ddbnubbrupbwtq6bjojg47nwxrjkzs2wrwoz26aljna._file

Verdict:

malicious

DarkCloud

4505a80b468e6816046c95f93fa332409314ec77d790aa07ed68d4b481feed7b

DarkCloud

51ba2b6912305fd63c041dccff36db067314cab3f93227aaf21990801efa0b25

DarkCloud

60f3966c3a1984024b515a62c1dce029717182dc7a8c7e02b13bc9e5d366fb38

DarkCloud

64359ddf637e15b2f3f8e0360d23caf8d2d5d51680b8709bde3eaa392978043a

DarkCloud

6c50963cb2f68cba3949a030f3e9520c239f096d22de4f104670588758dd9d26

DarkCloud

6f4db9c0b9d6190016964bf3916c3f3a5b8f600ea4ed25955ddce5a45166bc0d

DarkCloud

ced55c9b4b3dba810dc674575818bb4d9dc828d3df6efee4a15d85ac24abd69b

DarkCloud

+ 857 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud persistence stealer

Link:

https://tria.ge/reports/230214-w1f2eaef3y/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

DarkCloud

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/5d8fa84a-c7c9-4346-a78a-9146936c2dc4/

SH256 hash:

f885a40d63e46e455a4e8afeca78f8a4bb284b3dd9b6403e64c3ea53b142059c

MD5 hash:

d85213d4834ecb6724c1efd5fe73fbeb

SHA1 hash:

0ad545faeade168157d663789fece184a9294a9b

Link:

https://www.unpac.me/results/5d8fa84a-c7c9-4346-a78a-9146936c2dc4/

SH256 hash:

33a74363423eb0fc4e7b50c3213206d01b6351f9402afbee939ac9b65e7e6bba

MD5 hash:

b0066a0928d59f75e4431a004bb921ae

SHA1 hash:

46c84d923d692929d3e96c02feeee958ce7f2534

Link:

https://www.unpac.me/results/5d8fa84a-c7c9-4346-a78a-9146936c2dc4/

SH256 hash:

194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a

MD5 hash:

c5f4d7a0730518088702ef973e79512a

SHA1 hash:

3f273412895427167ce52d659fac3716536c876e

Link:

https://www.unpac.me/results/5d8fa84a-c7c9-4346-a78a-9146936c2dc4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/365940/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample