MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
SHA3-384 hash: 09da5cf307df502c2de376e8a0f221f3fe4bc4a5d2ff25b7380d0c065fb4829266dab76d769b7c26f7a2ce7946c76b2d
SHA1 hash: 4e97c1259406c04ad37364eaa8664f5343ead8b8
MD5 hash: 02061468867d1c6ccc322bef11eff812
humanhash: oscar-yankee-carolina-mirror
File name:08162023.eml.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:966'656 bytes
First seen:2023-08-16 13:13:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aZnDrtz9dmtT7r6K2SmuBZ7y9wkrwWBoCGQfw1EGi2mmcma/nh/hk8g/XLBC3f80:aZtJdmZWhHBBo626nNuXYP4E
Threatray 406 similar samples on MalwareBazaar
TLSH T1DB25E1A272FC47A7E02F80B656247113AFB2A5BB5166E5C57CCE11E58F86F811A03F13
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 006868cccc686800 (8 x AgentTesla, 4 x Formbook, 1 x DarkCloud)
Reporter James_inthe_box
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
08162023.eml.exe
Verdict:
Malicious activity
Analysis date:
2023-08-16 13:18:00 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/bc2c2371-8156-4ef6-9f57-dfcc765a1f7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443046/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownloaderNET.316.19884.12144.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1856a5a0-7673-41b5-8683-325437400286
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292146
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1292146 Sample: 08162023.eml.exe Startdate: 16/08/2023 Architecture: WINDOWS Score: 100 27 api.telegram.org 2->27 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 7 boone.exe 3 2->7         started        10 boone.exe 2 2->10         started        12 08162023.eml.exe 3 2->12         started        signatures3 process4 signatures5 41 Multi AV Scanner detection for dropped file 7->41 43 Writes or reads registry keys via WMI 7->43 14 boone.exe 10 7->14         started        45 Injects a PE file into a foreign processes 10->45 16 boone.exe 10 10->16         started        19 08162023.eml.exe 1 12 12->19         started        23 08162023.eml.exe 12->23         started        process6 dnsIp7 31 Tries to harvest and steal browser information (history, passwords, etc) 16->31 29 api.telegram.org 149.154.167.220, 443, 49705, 49706 TELEGRAMRU United Kingdom 19->29 25 C:\Users\user\AppData\Roaming\...\boone.exe, PE32 19->25 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-16 06:10:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eitne5p5qgdpdmgfdeem3sghli3ugopzkfozkddmoovlx2isoeea._file
Verdict:
malicious
Similar samples:
0ba8b0616ca5557b8757e20eb42437aa439606de5ca3598c6a9bb7e48fddc915
DarkCloud
3e4c08f6c576544f406c83ea2361fadddc27361044b615e391fff3d9bf4e4ca2
DarkCloud
50671a5bf0d58b9a8aa7fd42a637c27d6db8f2e35a6a1faef249a7b6a779fcb1
DarkCloud
571cc0498824bbf035b1291c9dc08726c93a943411a21659916d2ed27e6fa3f0
DarkCloud
9d16f030796c701a2fc2481bf376df82914d34581547795b81154e3f249f1549
DarkCloud
a0fef35dfcd0a26bab66af912e02360f499d55297f9ce71c55abd9ef180305c8
DarkCloud
a540f9417751bf4d120f8c586b55961dd659ecab3045ac112c0057287d4816a2
DarkCloud
d56fba09ff195114fdf8404435b83e2b9e49193e9e97afc3adef35610714462c
DarkCloud
f43fa3268bd5d31fd1dd0f34207786c10239b21868da3a8a9c3952c371330f80
DarkCloud
+ 396 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230816-qgmrysba69/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
SH256 hash:
50e10103a0d99ac4838f6018cc31223e698e685a0d432c13fdb22112adf1debf
MD5 hash:
5df22ff6b00157a3a9d678033fc8480f
SHA1 hash:
92a99acec6e9ccfef576094e4eafb5552e66d4d8
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
SH256 hash:
602eb07bcd0e57c8614940f9b11d2c21fc58ad427e350b96c7c2e1a8134b6960
MD5 hash:
27468444cee23133e10c86a6f5680b14
SHA1 hash:
f8aa56eab97395eee3aa00a27cb8cddcc2df71e3
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
SH256 hash:
b26a7e88c2fc5a6dbf3e1f5d8ac59c4579b3b9047f462c5cb7ee79548fa18da9
MD5 hash:
06dc1333af7361fb9ebebe5c4dbe58e4
SHA1 hash:
1adadf881904c5370e96c0a566085cf3c83ca8d0
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
SH256 hash:
2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
MD5 hash:
02061468867d1c6ccc322bef11eff812
SHA1 hash:
4e97c1259406c04ad37364eaa8664f5343ead8b8
Link:
https://www.unpac.me/results/5ac34462-9b93-4739-96c3-74ebe7fab7ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/443046/

Comments