MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd
SHA3-384 hash: 0698ce5981137e4c169488fd95f8fbb4a4c1183d171d4a255315d06e9910cca137405de1770332322d14ad72775e6e6f
SHA1 hash: cb2d6b07aa66706f8a899e3205b29aec36843569
MD5 hash: c05596dc6967d015d7bf0a57c027e428
humanhash: uncle-mobile-ink-sierra
File name:DHL AWB DOCUMENT.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:453'489 bytes
First seen:2023-04-12 07:56:43 UTC
Last seen:2023-04-12 08:35:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:PY0AXIx8wDoZkj6BdLm4HcgHTd0BJfQSgrCo24:PY0+w8AodNeIZgJfQSgWob
Threatray 50 similar samples on MalwareBazaar
TLSH T1C0A4233423DFD16BCD324532603648B61FE0D85674E9EB0B23603FA5396A1D0E58EBA7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:DarkCloud DHL exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL AWB DOCUMENT.exe
Verdict:
Malicious activity
Analysis date:
2023-04-12 08:05:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a654619-8476-4043-beb9-52a8b0f7303f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381722/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66356755.12826.1763.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77563/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo nemesis overlay packed remcos shell32.dll
Link:
https://www.filescan.io/uploads/64366450c41e8bc6a3b113d0/reports/2dc6ea08-92d0-4dc1-a8a6-56573d38ede6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43ee2d10-5160-4f49-b0ae-65b0d3bce537
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1212387
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 845303 Sample: DHL_AWB_DOCUMENT.exe Startdate: 12/04/2023 Architecture: WINDOWS Score: 100 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected DarkCloud 2->26 28 Yara detected Telegram RAT 2->28 30 4 other signatures 2->30 7 DHL_AWB_DOCUMENT.exe 19 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\vdafy.exe, PE32 7->22 dropped 10 vdafy.exe 7->10         started        13 MpCmdRun.exe 1 7->13         started        process5 signatures6 32 Multi AV Scanner detection for dropped file 10->32 34 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->34 36 Maps a DLL or memory area into another process 10->36 38 2 other signatures 10->38 15 vdafy.exe 3 10->15         started        18 vdafy.exe 10->18         started        20 conhost.exe 13->20         started        process7 signatures8 40 Tries to harvest and steal browser information (history, passwords, etc) 15->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 01:39:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqcs6kafdbez6k6mwa4vve2wp3qmuyszathaxnnvgaxnkvmyzo6q._file
Verdict:
malicious
Similar samples:
215f6b10529ab1fabb0bdd0c1094980b581cad69228aa1724465ae4942945efe
DarkCloud
3ab507d581b15a3ab4f0069436f49e77d80fb40f00c8218fd5f41815da3b46fa
DarkCloud
51a0bb47c795950136c662cb09a2efd39d2d4c1cdd1d16e1430506d3a6160220
DarkCloud
5f8e2b838a675ecd820088d6c390a7f77cfb86f866648767ef51da2c3481b013
DarkCloud
61bdf1ced40df618fd0eb1a5977024b167471b9eb9b4dc62309481462cd88a33
DarkCloud
630f2becb05a49664975e0561dd7f4a45690c3cc1c039816c5b1961caf0c2980
DarkCloud
97ba4422534cfd514e9dff46d3fb40efeb33ed2ad0ab29dee8a312453049203d
DarkCloud
d9fb5f10465038710b0e96b46a5e97d2797667c6c07c5246a4d9f49233055ed4
DarkCloud
e1ad02b9c0748d0adf302dea6ec50274153644d8d8967d3945944b6c72390fdd
DarkCloud
+ 40 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230412-js9yasah49/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6220925905:AAFbd3Et4YQi4C1WTvNkPbMsAOdz5c8giT0/sendMessage?chat_id=5463149861
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/1129274c-25b6-42be-9701-49e6ce655a56/
SH256 hash:
8b91b98353694e8936f87e8bc17a506e3d92e04f515b8fe43a02a6ad446bac53
MD5 hash:
98ad09b946254704aa3ae8222d840e15
SHA1 hash:
bcf00459c6d7c620615b684be9ef489d6f977fc3
Link:
https://www.unpac.me/results/1129274c-25b6-42be-9701-49e6ce655a56/
SH256 hash:
b4d049769104f27b3788628a792bf50e8550e8af0af2b045036b3cafa1a613c9
MD5 hash:
e01ef3c540ae231d58e9b8171d03650a
SHA1 hash:
1271856e07d9aaef8a67d7b8387145050f42b612
Link:
https://www.unpac.me/results/1129274c-25b6-42be-9701-49e6ce655a56/
SH256 hash:
2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd
MD5 hash:
c05596dc6967d015d7bf0a57c027e428
SHA1 hash:
cb2d6b07aa66706f8a899e3205b29aec36843569
Link:
https://www.unpac.me/results/1129274c-25b6-42be-9701-49e6ce655a56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 2c052f280518499f2bccb0395a93567ee0ca625904ce0bb5b5302ed55598cbbd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/381722/

Comments