MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2
SHA3-384 hash: 162e0d4d37f13f580f39aa19e0f97f6555d51ccdd8bba0ad3254bac5221a54d166ef6fe6603c27791e0e231e2a79ed15
SHA1 hash: 2c32a44f7bfc13ae11789a7338efb91acb5d83b5
MD5 hash: 2fef6194d43192e3b7e7e2255f7b416b
humanhash: pip-ink-oranges-finch
File name:SecuriteInfo.com.Win32.PWSX-gen.25840.32752
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'041'920 bytes
First seen:2023-08-29 12:29:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:ulLafHShlrSjM7GbvAjQDZXlSSxO7+iy2+dYZF:ulmHAV74ActfxO7cZcF
Threatray 164 similar samples on MalwareBazaar
TLSH T1DC25F12566F48A2AD4BF97F991A442100332BD27547FF35A89C074DB2FF1B420A1BB5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1d19094a5b2f371e (26 x AgentTesla, 4 x NanoCore, 4 x DarkCloud)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.25840.32752
Verdict:
Malicious activity
Analysis date:
2023-08-29 12:30:46 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/d5e96eff-3fed-4300-bbbb-22951ea0bb1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445084/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.25840.32752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64ede4cc5ec4a8623261a0dc/reports/111760d2-4953-426f-8fc5-a06f9c9b97b1/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/406e0dc7-11d5-40f5-b6e9-111c666ab663
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299479
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1299479 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 29/08/2023 Architecture: WINDOWS Score: 100 55 showip.net 2->55 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 7 other signatures 2->67 8 SecuriteInfo.com.Win32.PWSX-gen.25840.32752.exe 6 2->8         started        12 NWqiNxpkHvjw.exe 5 2->12         started        14 galloway.exe 2->14         started        16 galloway.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\...51WqiNxpkHvjw.exe, PE32 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp4696.tmp, XML 8->53 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 8->69 71 Adds a directory exclusion to Windows Defender 8->71 73 Writes or reads registry keys via WMI 8->73 18 SecuriteInfo.com.Win32.PWSX-gen.25840.32752.exe 1 16 8->18         started        22 powershell.exe 23 8->22         started        24 schtasks.exe 1 8->24         started        75 Multi AV Scanner detection for dropped file 12->75 77 Machine Learning detection for dropped file 12->77 79 Injects a PE file into a foreign processes 12->79 26 schtasks.exe 1 12->26         started        35 2 other processes 12->35 28 schtasks.exe 14->28         started        30 galloway.exe 14->30         started        32 galloway.exe 16->32         started        37 2 other processes 16->37 signatures6 process7 dnsIp8 57 showip.net 162.55.60.2, 49766, 49773, 49778 ACPCA United States 18->57 49 C:\Users\user\AppData\...\galloway.exe, PE32 18->49 dropped 39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        59 Tries to harvest and steal browser information (history, passwords, etc) 32->59 47 conhost.exe 37->47         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-08-28 19:23:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyp5zlqwpf34i3zs5f2zk4z5p7b37wfmt6kzomz67nq5v2nuwtja._file
Verdict:
malicious
Similar samples:
104de5c4e4680f719ba12dd72fd2f94e63f1eaee57eaa1cc39d90030e6df7d1f
DarkCloud
2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
DarkCloud
38c60a6428742188581a765d31ddd4f6e91869c4b1f11ffcfdbf01fa6226f1f1
DarkCloud
3e4c08f6c576544f406c83ea2361fadddc27361044b615e391fff3d9bf4e4ca2
DarkCloud
503599b3a2d298fa796e77097522ddb79245d65a95099890dda26a73ea273ac4
DarkCloud
6ec733375cbfab2bc5cb2c37a453a9384e3a5030aaac4f937b0c7ddedae32053
DarkCloud
a1ac3ca4a2a240944f653e984c31e8bb4c0edc7eb5f07331ed5b457c7d16e242
DarkCloud
a4d5963e0d2770194c439a2fa07da2dda5eeceb8eb5bb5c1b106cff178f4e624
DarkCloud
b3b433d78fc1a8de3271a6d8b1adda6d6ef0ad4356659c19dc6ade6646aa9835
DarkCloud
c50b2cc2b07a221eb18d0e11954c83e00485a4da7b77293e2dc8ddcae287c664
DarkCloud
+ 154 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230829-ppgegacd97/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6028253602:AAFFbacUfiOxmvzuo36D6g83Flf23bpPXYA/sendMessage?chat_id=5954758350
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
SH256 hash:
1548545d9672bba1efca901130fbf75b20507e87fea1e4cea72c7e57e4452671
MD5 hash:
e104063d2cc2446fbde6195f46ca6a38
SHA1 hash:
f4590d1f3a25dda7a47da95aed27bdb4b63b6f1e
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
SH256 hash:
ebaf28744bfa555219d56440db49703efd0e1757e3e219eef119725b4f0090d5
MD5 hash:
13574c506380e6ec0da25e442099b8e4
SHA1 hash:
9900c86a1bb5a605e34de9a4167aa3b93225ec33
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
SH256 hash:
81fbec8120620bc05275ea5920a22bde25650f94adb5d202b2e833a7dd6c770d
MD5 hash:
0015cb3796856f76a79c81b9b2ef49b6
SHA1 hash:
75392699fd2a18f25187a8c448293a903f120ccd
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
SH256 hash:
1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2
MD5 hash:
2fef6194d43192e3b7e7e2255f7b416b
SHA1 hash:
2c32a44f7bfc13ae11789a7338efb91acb5d83b5
Link:
https://www.unpac.me/results/a1ae5171-4c63-4303-ac46-5a48fd3d90e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e1fdcae167977c46f32e97595733d7fc3bfd8ac9f9597333efb61dae9b4b4d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445084/

Comments