MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe
SHA3-384 hash: e4c9e93a21d7c7e919196d76de0b819dd4fd0adad560efa767aa9575584450e4a32a6b325558c6e249f9c64ed3425461
SHA1 hash: d7060b395bd7e2a4f86a0e5319ecdd6991c12822
MD5 hash: 9c6790a22678f0262c0283d290f27157
humanhash: connecticut-seven-vegan-lemon
File name:Dekont_20221215122557199,PDF.z.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'217'536 bytes
First seen:2022-12-15 15:23:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:+c5keR3xmKNBjnRuEAO33A25Ltmgd95ydTA1OJ:+skeDBjRj3x5LQgxa
Threatray 4'987 similar samples on MalwareBazaar
TLSH T17C45BE0AB1D84E19EB46EAF10650B5B136973FDD65DEAA3C4EE93F4D4032218DC242DE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0dc9eb69696c0f0 (12 x AgentTesla, 6 x Formbook, 3 x SnakeKeylogger)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dekont_20221215122557199,PDF.z.exe
Verdict:
Malicious activity
Analysis date:
2022-12-15 15:27:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f8ea91c-995e-4237-910a-4a0ec13d43b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346696/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639b3c144aee845f49e5109c/reports/927e81a3-3091-4424-b2e9-bb095ec30f93/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c173efbc-4389-4cee-9543-350f2feaeff8
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1135119
Signature
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 767848 Sample: Dekont_20221215122557199,PD... Startdate: 15/12/2022 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Scheduled temp file as task from temp location 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 4 other signatures 2->70 7 Dekont_20221215122557199,PDF.z.exe 7 2->7         started        11 gnomelike.exe 5 2->11         started        13 gCgHVRNcJIbpGb.exe 3 2->13         started        15 gnomelike.exe 2->15         started        process3 file4 50 C:\Users\user\AppData\...\gCgHVRNcJIbpGb.exe, PE32 7->50 dropped 52 C:\...\gCgHVRNcJIbpGb.exe:Zone.Identifier, ASCII 7->52 dropped 54 C:\Users\user\AppData\Local\...\tmpA191.tmp, XML 7->54 dropped 56 C:\...\Dekont_20221215122557199,PDF.z.exe.log, ASCII 7->56 dropped 72 Drops PE files to the user root directory 7->72 74 Uses schtasks.exe or at.exe to add and modify task schedules 7->74 76 Adds a directory exclusion to Windows Defender 7->76 17 Dekont_20221215122557199,PDF.z.exe 1 8 7->17         started        21 powershell.exe 21 7->21         started        23 schtasks.exe 1 7->23         started        25 Dekont_20221215122557199,PDF.z.exe 7->25         started        78 Multi AV Scanner detection for dropped file 11->78 80 Machine Learning detection for dropped file 11->80 82 Writes or reads registry keys via WMI 11->82 27 gnomelike.exe 11->27         started        30 schtasks.exe 11->30         started        84 Injects a PE file into a foreign processes 15->84 32 schtasks.exe 15->32         started        34 gnomelike.exe 15->34         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 58 simsekutu.com 5.2.85.41, 49704, 49705, 49707 ALASTYRTR Turkey 17->58 60 mail.simsekutu.com 17->60 46 C:\Users\user\AppData\...\gnomelike.exe, PE32 17->46 dropped 48 C:\Users\Public\vbsqlite3.dll, PE32 17->48 dropped 38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        62 mail.simsekutu.com 27->62 86 Tries to harvest and steal browser information (history, passwords, etc) 27->86 42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-12-15 15:24:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eivpngcnaq6d7s7z2a2pm345cbbkjt3ehlhx4lh4mxwfywpedx7a._file
Verdict:
malicious
Similar samples:
1178534bbcdade87eb65a5b8dc7ff6d0bca0a28c946a90914363bbf2c3e367c7
DarkCloud
2244c1910eec55c85a115fa27cfbc558ecbee563441065ba45656b68e3c8cdb9
DarkCloud
32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67
DarkCloud
57bb37f739400f1fbd0e96ffddf4c85e5c0c5eadad50cc9315dffed750e9fe7a
DarkCloud
64e04b8bc093e2dbc49cd2ed382369a4ec0c78de9054cb8f747137c578a941e3
DarkCloud
74f7661ce543ece586c81b95a2ee3174ca65e17369a90bb6522aa1cd34524754
DarkCloud
755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
DarkCloud
7a3bf5061d01328b4ab67e28dcc57abab27783b7ec94f432ce81376e17e146d2
DarkCloud
d6bfda96996e156537354738e29438d268acd7c7b7ca5f60a0771223d9b16394
DarkCloud
eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78
DarkCloud
+ 4'977 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/221215-ss2flacf79/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/de4aff92-60bb-4b7d-bb6b-8b0337ac863b
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
9e75f3a5af40bde221c57e54e790300c8979d15628d663525de01411b34d0d58
MD5 hash:
c42f47eff109eb8a99cac91689b93ff3
SHA1 hash:
5ef273b2e77609017182179351e5ff682ad912cd
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
50a3c76c8ccb16e5b07973bc7247e5471e08f8f4ce5550fc814eaf4bdd7fe0f4
MD5 hash:
8d1475e460c2e86d009abad1e408ce1e
SHA1 hash:
a17deefe8a4130db3634901bf71f796852017ecd
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
4908c3bc047af6bb088591c2cf2f014fefc8b7f511912dfe5e3ff01ad808b7cf
MD5 hash:
fa6f3b2cd7f31a939cfc6d4fbc51ab63
SHA1 hash:
7aad3e73b0e204edee8d569285b7a9a17521fd3e
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
7bb9ad94ebfc5203574b0356ad74197e98e7e51999313ac6beae655828ec4051
MD5 hash:
b51dd3437a60179b464d07f8633f4ca5
SHA1 hash:
5568acc29fa8db947a04669a68a4c7551c9adf7e
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
SH256 hash:
222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe
MD5 hash:
9c6790a22678f0262c0283d290f27157
SHA1 hash:
d7060b395bd7e2a4f86a0e5319ecdd6991c12822
Link:
https://www.unpac.me/results/a4c0bc48-8389-4b4d-be9b-d6d07b53c16f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 222af6984d043c3fcbf9d034f66f9d1042a4cf643acf7e2cfc65ec5c59e41dfe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/346696/

Comments