MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
SHA3-384 hash: e0d67a3fc627ff4c8059ead5e3aeb83b4e77998217ed73694dd5f3c78968318c20008e44eb6b39591a2ce985b774085a
SHA1 hash: aa245e7abb445325d127a551a316b1d9c9d2aca7
MD5 hash: d33e029670979b9b113f5e019fd7c89c
humanhash: may-green-november-violet
File name:Q-Specification#107287.pdf (189K).scr
Download: download sample
Signature DarkCloud
Create hunting rule
File size:857'088 bytes
First seen:2024-01-22 17:04:17 UTC
Last seen:2024-01-22 18:27:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QvcfkIOldtSlQ5od3dI+6csqNpzZuV3NLrq0Wxjrx+dZjJD05I3J2Y:7fkrl2fdIvqgV3w/trx+pQcJD
Threatray 610 similar samples on MalwareBazaar
TLSH T17705E039E3948538EDE64A34F97A48141ABCE7DA1C02E75B3E8F607D79977170223A34
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4c3cf2ca84a4c4e0 (7 x AgentTesla, 2 x Loki, 1 x NanoCore)
Reporter cocaman
Tags:DarkCloud exe QUOTATION scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
335
Origin country :
CH CH
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472336/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31372.9873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65aea042eda27a7ac1ff3feb/reports/b638a96f-9348-4d47-99e3-4fec6e6952ba/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03780a2e-f954-4fc9-9e75-aeb2f744f83e
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378921
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-22 17:04:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dz56y3rbd2gng5nffe4ts3meiyrkspcio5mktzw243wyom6o3kpa._file
Verdict:
malicious
Similar samples:
13f500cb766e4c37869fb3286cbefb2c2ecefb4a799ef7e5723f574a842d5647
DarkCloud
1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
DarkCloud
3b30d701c4a16466458275c153de993a673df2ecd4691d6e664d934cfef1d56e
DarkCloud
80e12c2425ec7b8aa8913df82bd47c0c1a62f6539df22b6bf1ddab8b1694e3e8
DarkCloud
becd887276df85a4eea5b2837327ee6eea59f0f7579f7894a8307e4681b9b5d4
DarkCloud
dc13c362ff576c7b7733c08175dd2f581ffd40aeb8b090823c18f04ece12ca01
DarkCloud
+ 600 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240122-vlttaaaghj/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/b920a5b0-d2a9-4982-a64f-7e39f7211218/
SH256 hash:
e54ec799141a8159e04135402b664fa176caebd3e98aae6969764b3282c6df4d
MD5 hash:
10b9ced6be212b94f4553abda0cc1141
SHA1 hash:
3f9336e6f74221c8d182b64cdee9d680af25d288
Detections:
darkcloudstealer
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/b920a5b0-d2a9-4982-a64f-7e39f7211218/
SH256 hash:
42e162106371e9662734f85a11bcc33e55c6835e488475164eed2a7c4a3ea3c7
MD5 hash:
7261dbe203655437459c1f915fae4f90
SHA1 hash:
e9d855783e0c0241b93b8fe901e6f586fcbf6723
Link:
https://www.unpac.me/results/b920a5b0-d2a9-4982-a64f-7e39f7211218/
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/b920a5b0-d2a9-4982-a64f-7e39f7211218/
SH256 hash:
1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
MD5 hash:
d33e029670979b9b113f5e019fd7c89c
SHA1 hash:
aa245e7abb445325d127a551a316b1d9c9d2aca7
Link:
https://www.unpac.me/results/b920a5b0-d2a9-4982-a64f-7e39f7211218/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e7bec6e211e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

rar bb05df923d78b810abb650a138f411f2ba5cc2ac628f76ed67cd7ea3254ca58d

DarkCloud

Executable exe 1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bb05df923d78b810abb650a138f411f2ba5cc2ac628f76ed67cd7ea3254ca58d
Cape
Cape
https://www.capesandbox.com/analysis/472336/
  
Dropped by
MD5 5b8d78968c989c9b1ab8eccf22fcd58e

Comments