MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
SHA3-384 hash: 61e5e7865762779472b3b2a74cb0f9046b97749bdf9660ea039b5ab605163dc7a6f05f1fc41b5e79d0e56c32f27ec3e4
SHA1 hash: 65f0b0f038f3969d5080ec79ce559093b217c467
MD5 hash: dc8adcc624f9599d45e5e3b63411e4c7
humanhash: high-freddie-delaware-white
File name:ABP Overdue.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:940'032 bytes
First seen:2024-01-23 15:30:57 UTC
Last seen:2024-01-25 17:11:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:mlUgySozdUd283S5qgkFCxjI4s+gGL+i7vJ0TG/r7jam+VM/NwNVJdPFZdVBo6U1:8mFudCDkFCx84OG9Brj7emT/NCVJdz
Threatray 426 similar samples on MalwareBazaar
TLSH T1E015CEACB250B5DFC817CD7ACA942C64AA11787B930BD203A06325D9DE2DA97DF111F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0e4a2aaa4b8a888 (10 x DarkWatchman, 5 x SnakeKeylogger, 5 x Formbook)
Reporter malwarelabnet
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
400
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/472531/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Win32.PWSX-gen.20713.18876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65afdbbaf3cf17c17b76e537/reports/5b5df39a-acfb-48c8-ab6c-b6c9f2a55712/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d235830-7d8e-4c48-8bf0-9a45436ecefd
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379628
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1379628 Sample: ABP_Overdue.exe Startdate: 23/01/2024 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->42 44 7 other signatures 2->44 7 ABP_Overdue.exe 7 2->7         started        11 VpfYGImQGmj.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\VpfYGImQGmj.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF918.tmp, XML 7->36 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 58 3 other signatures 7->58 13 ABP_Overdue.exe 4 7->13         started        16 powershell.exe 22 7->16         started        18 powershell.exe 23 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 11->52 54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 22 VpfYGImQGmj.exe 11->22         started        24 schtasks.exe 11->24         started        26 VpfYGImQGmj.exe 11->26         started        signatures5 process6 signatures7 60 Found many strings related to Crypto-Wallets (likely being stolen) 13->60 28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        62 Tries to harvest and steal browser information (history, passwords, etc) 22->62 32 conhost.exe 24->32         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-21 02:25:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqwkrunhl3xtfwqbqfeyhj5d3po76ferlluwgrvpndoctrs5w7va._file
Verdict:
malicious
Similar samples:
1e7bec6e211e8cd375a52939396d844622a93c487758a9e6dae6ed8733ceda9e
DarkCloud
6e94f38fee814023e77c4f2f3f718fd0bdf456974fb7742c03ee17dd2054050c
DarkCloud
9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034
DarkCloud
ae3e90aef418f7299c1ec1c976f6c9e5b09e831a1a28ca42f6259e1bd727533e
DarkCloud
f746ed45af2d73fae31d7c7b26b365377aa7d8bc97a12b9583502797c71502f1
DarkCloud
+ 416 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240123-sx2bdsbegp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
SH256 hash:
7b06e0420e94f090fabc330dbe41fff6785ca104e60a2ba3a24dfca29273198e
MD5 hash:
a3731744d51e4511d4059dd1275b351c
SHA1 hash:
720897a41711c2b51c4efc54fb1b4ffad51417c4
Detections:
darkcloudstealer
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
SH256 hash:
637db0b5d138bdd9ae7b1145805afabe011faa9ee9f0670d849320bd9dc30365
MD5 hash:
1752a403b7ea2718a500b8893689ec49
SHA1 hash:
fec1850fcf0a1ad0264ed7ca5bfa380897421ebb
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
SH256 hash:
2b4cf8b51c4caac8a17c239ce12f5722630e9358060986625b0eed5dd9e01017
MD5 hash:
81c9b6f9ce6e6cc93bf89a1218f12e86
SHA1 hash:
1e2b99b28fc38272b81bc336a66c2960259668b6
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
SH256 hash:
d15cbdff9309c01f1db4b80f807f47cdb133ffdd43c8cb2096ea95d9b98abb80
MD5 hash:
2f06c1cc1e3b68dc8bf3fd42c7d958f2
SHA1 hash:
1dd441a8c6d694bd6d717f64c4d94f565a23d969
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
SH256 hash:
2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea
MD5 hash:
dc8adcc624f9599d45e5e3b63411e4c7
SHA1 hash:
65f0b0f038f3969d5080ec79ce559093b217c467
Link:
https://www.unpac.me/results/1e50c5c6-de9b-4825-a7ab-efc65e536803/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c2ca8d1a75e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c2ca8d1a75eef32da01814983a7a3dbddff14915ae96346af68dc29c65db7ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472531/

Comments