MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
SHA3-384 hash: 5f420d1dd1e705e5b29794db91a61dbe16df6cb8d697c73ab3024e77c053f1eb856c853c0c763dbfc27df07a64bcb51a
SHA1 hash: bc4ac9ef640a74fcf240f14def4948ec6e9346c4
MD5 hash: e1f944688e00a6753e1dfa4e5d8a7670
humanhash: bakerloo-emma-black-summer
File name:e1f944688e00a6753e1dfa4e5d8a7670
Download: download sample
Signature DarkCloud
Create hunting rule
File size:3'135'488 bytes
First seen:2023-07-25 03:59:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:V5KrtzH/iYOdy9HQUtiImGqPPUPJp6XdCGQV3JfIR:CrxH/iYV9VeGqPPsT6UvrQR
Threatray 26 similar samples on MalwareBazaar
TLSH T122E51267FA6F5BCCFADA0FE90357D3801792A80E5D4DBE036C897131BAE2A50E116543
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71f0ccaa888ec8f0 (1 x DarkCloud, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order PO 5405748 July..pdf
Verdict:
Malicious activity
Analysis date:
2023-07-18 21:51:50 UTC
Tags:
darkcloud stealer
Link:
https://app.any.run/tasks/a89d2881-b9a1-4c99-965a-7eea0363d646

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/431832/
Detection(s):
SecuriteInfo.com.Variant.Ransom.Loki.8883.6854.25455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Restart of the analyzed sample
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a window
Creating a process from a recently created file
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2098f291-1910-41e8-8668-c6fad296cd14
Result
Threat name:
DarkCloud, Redline Clipper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278788
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Redline Clipper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1278788 Sample: ClYPrPEkyJ.exe Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 8 other signatures 2->89 8 ClYPrPEkyJ.exe 4 2->8         started        12 chrome.exe 1 2->12         started        14 GLqLto.exe 2->14         started        16 2 other processes 2->16 process3 file4 79 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 8->79 dropped 81 C:\Users\user\AppData\...\ClYPrPEkyJ.exe.log, ASCII 8->81 dropped 101 Adds a directory exclusion to Windows Defender 8->101 103 Writes or reads registry keys via WMI 8->103 105 Injects a PE file into a foreign processes 8->105 18 ClYPrPEkyJ.exe 6 8->18         started        22 chrome.exe 8->22         started        24 cmd.exe 3 8->24         started        30 2 other processes 8->30 107 Antivirus detection for dropped file 12->107 109 Multi AV Scanner detection for dropped file 12->109 111 Machine Learning detection for dropped file 12->111 26 chrome.exe 4 12->26         started        32 3 other processes 12->32 34 2 other processes 14->34 28 chrome.exe 16->28         started        36 7 other processes 16->36 signatures5 process6 file7 69 C:\Users\user\AppData\RoamingbehaviorgraphLqLto.exe, PE32 18->69 dropped 71 C:\Users\user\...behaviorgraphLqLto.exe:Zone.Identifier, ASCII 18->71 dropped 73 C:\Users\user\AppData\Local\...\tmp10F2.tmp, XML 18->73 dropped 91 Adds a directory exclusion to Windows Defender 18->91 93 Injects a PE file into a foreign processes 18->93 42 3 other processes 18->42 95 Multi AV Scanner detection for dropped file 22->95 97 Machine Learning detection for dropped file 22->97 38 chrome.exe 2 22->38         started        75 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 24->75 dropped 77 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 24->77 dropped 40 conhost.exe 24->40         started        45 2 other processes 26->45 47 2 other processes 28->47 99 Uses schtasks.exe or at.exe to add and modify task schedules 30->99 49 3 other processes 30->49 51 4 other processes 32->51 53 3 other processes 34->53 55 10 other processes 36->55 signatures8 process9 signatures10 57 conhost.exe 42->57         started        59 conhost.exe 42->59         started        61 conhost.exe 45->61         started        113 Tries to harvest and steal browser information (history, passwords, etc) 47->113 63 conhost.exe 47->63         started        115 Writes or reads registry keys via WMI 49->115 117 Tries to steal Crypto Currency Wallets 53->117 65 conhost.exe 53->65         started        67 conhost.exe 55->67         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-07-18 14:13:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkf6wtzcor7t2l3mzbi7y4hgr2cqdq6ydwng4yax2n7fs4jjqtuq._file
Verdict:
malicious
Similar samples:
0bb46de35c85fdcf18501978947bcff14943162662f70134eb00442d837273e9
DarkCloud
33922643495d4d3436142b57efe5a2023c23954f338e6633a861ba0afdf6ddd2
DarkCloud
3752671d8ecafe3de17f8ec3a30ef23f137d8c3cd62683a13f6e9a56db5db4f4
DarkCloud
52c57b48d18cc204ce5703306dcf0f036539f6c4503bc9831c584a0245c1f070
DarkCloud
56ad658ef29551d86add3dc7f16538402f1d894ec746bdf14444a4b01deabda4
DarkCloud
6b6b0c127f7e29383aeb93e5fe487e7dba752c8e8a9aebd544e26975d684e400
DarkCloud
80d6d2c92cecab658cfbeb75c1735f4379d63a19d6a9c3637a17b58a2bb8788d
DarkCloud
8510b99e4bd38e8adcd3092d7e9a9ac23014efa2a5ff96ad0f971da1dbe6d532
DarkCloud
8615a11492e27f4a2d4b3028ef8a94f179d7e4b2f8d81f3088172378db2e9df2
DarkCloud
9b8a796bf8ad5cfa6f9faae6430ed652538433b25f68be842c673cf343854bed
DarkCloud
+ 16 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230725-ekm2caah5w/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6398598832:AAHm_-Bk4WvgvnFiJw5HCNBQ9z3BfEFNArM/sendMessage?chat_id=5713547588
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
8c21274f725299022fbf415925210da65702198913c4713dfe5dda09ceb2d38a
MD5 hash:
6741d00c206f685140fd9cd0957aaaa8
SHA1 hash:
8e2da1453a6001aef807661db6940b1703846890
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
21b159198f0f71c7d0cf0d8b6ed02a1e561287546b1fe55ecb16b60314bdef81
MD5 hash:
5ee18fca78e11e05ad2cb113a0f9cd68
SHA1 hash:
eef85a313abf4823daa04fd51a34e81743dd57cc
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
2e6fa64d91f5c0430606b9050429e53cea1c96d9f321974f0d50874bb75ee16e
MD5 hash:
29debac50bd3f6ff9f46304fd1a9043b
SHA1 hash:
c05df90a0ceb05c4dc6001082ce0ffaa44065a6f
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
c1796a8cf6be4b31342d3ba730ee278132be920a0b0946531edfd5d3ab2415ef
MD5 hash:
594173a93a04d2b9ed53ee505a9d418b
SHA1 hash:
f2c5e775bf98475700c428dd92c2d25ee330e96b
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
dbeb4e4b4d92ebb967aead8bab17db081615039e5c6137fbc8dff8118de1a3c4
MD5 hash:
1fec2ac5c10ec1b4e8330de3e2ec0115
SHA1 hash:
457e96de3aafa65b5f7a32d7888adea1285a15c4
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
efcda1f87b644bd29cfb7e25fa73dfd8e2a25dc637f87bbb1992c1a111a6a324
MD5 hash:
e91b3792973ff304ee75fd7c70c89bfa
SHA1 hash:
2224e2863458f70d53973c9c987d250783ea4ea5
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
SH256 hash:
2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9
MD5 hash:
e1f944688e00a6753e1dfa4e5d8a7670
SHA1 hash:
bc4ac9ef640a74fcf240f14def4948ec6e9346c4
Link:
https://www.unpac.me/results/970f49b4-b817-4931-a562-d8efff144044/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 2a8beb4f22747f3d2f6cc851fc70e68e8501c3d81d9a6e6017d37e59712984e9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/431832/
  
URLhaus
https://urlhaus.abuse.ch/url/2689410/

Comments


Avatar
zbet commented on 2023-07-25 03:59:48 UTC

url : hxxps://payorderreceipt.info/scano/scania54646.exe