MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67
SHA3-384 hash: 28dbaf37b7a6911d0f8c1333e9deb8d45496b454012449dd9290f8e155f8bab200d5aea3fd68cd706610429fa2935a49
SHA1 hash: 35d434ac92f05ddfb2b4a733b9f00215967ae603
MD5 hash: d0e387f55db27f73bc3728bde57b6af4
humanhash: alaska-seventeen-bluebird-skylark
File name:Halkbank_Ekstre_20221206_081244_137027,PDF.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'085'952 bytes
First seen:2022-12-06 07:06:43 UTC
Last seen:2022-12-06 08:35:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:c5MtKU6/rG6wc1oZqh1YbuzxRlBzyu0fraROo:c56B6/HoA1Ybkx9N0fraRp
Threatray 5'586 similar samples on MalwareBazaar
TLSH T1E535292F4ED796C4EE3757F472458BB83EA2BB81A8515C096CA0B073007C53DAB3EA55
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
177
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Halkbank_Ekstre_20221206_081244_137027,PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-12-06 07:28:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/952486c0-a364-45b9-a92b-868914f5939a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/343265/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.48217.22990.12694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638eea1ce35fa219447b95dc/reports/935871e5-35f7-424f-a1ab-fac91694a71a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03cf2c6d-f2ca-4a50-bbf7-8cd262501fd6
Result
Threat name:
BluStealer, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1129340
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected AntiVM3
Yara detected BluStealer
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 762063 Sample: Halkbank_Ekstre_20221206_08... Startdate: 06/12/2022 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 6 other signatures 2->63 7 Halkbank_Ekstre_20221206_081244_137027,PDF.exe 7 2->7         started        11 IrcIrSeg.exe 5 2->11         started        14 gnomelike.exe 3 2->14         started        16 gnomelike.exe 2->16         started        process3 dnsIp4 41 C:\Users\user\AppData\Roaming\IrcIrSeg.exe, PE32 7->41 dropped 43 C:\Users\...\IrcIrSeg.exe:Zone.Identifier, ASCII 7->43 dropped 45 C:\Users\user\AppData\Local\...\tmp2B58.tmp, XML 7->45 dropped 47 Halkbank_Ekstre_20..._137027,PDF.exe.log, ASCII 7->47 dropped 65 Drops PE files to the user root directory 7->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 7->67 69 Adds a directory exclusion to Windows Defender 7->69 18 Halkbank_Ekstre_20221206_081244_137027,PDF.exe 1 10 7->18         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        55 192.168.2.1 unknown unknown 11->55 71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 75 Writes or reads registry keys via WMI 11->75 26 IrcIrSeg.exe 11->26         started        29 schtasks.exe 11->29         started        file5 signatures6 process7 dnsIp8 49 simsekutu.com 5.2.85.41, 49713, 49714, 49715 ALASTYRTR Turkey 18->49 51 mail.simsekutu.com 18->51 37 C:\Users\user\AppData\...\gnomelike.exe, PE32 18->37 dropped 39 C:\Users\Public\vbsqlite3.dll, PE32 18->39 dropped 31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        53 mail.simsekutu.com 26->53 77 Tries to harvest and steal browser information (history, passwords, etc) 26->77 35 conhost.exe 29->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-12-06 07:07:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjuj66uwhw7ksnul7pin6paqu3pvnvasmxgan6m27bavmvlr7rtq._file
Verdict:
malicious
Similar samples:
231ba68aed77233685a7431ba8b1df348d0dc71860f41c7d43a5f6f486a1c66d
DarkCloud
2a330a7867c2702b878e69b95776948c6358d6ba1326d2c343b989a45f4c17c0
DarkCloud
47bfa1c709df60a24f4bf9a3466175654781d05ce1647e3dc9bc22e939435cc7
DarkCloud
49e9919f94384b17a42fc4ec2bfe5b427b5c19472d31e780a6b973b30d609f35
DarkCloud
6e728030e80dfbe8b571bffc0291c1e5b57b875d4dbe2b7302a73965aed82f70
DarkCloud
dfb8167ffe88154c39eaf8e76d99e54436dd03923f59ff9e986078732074534f
DarkCloud
eb82da7a94a49478cb961e56e30e0badff98728c9c80dfbcea76eba90ba55e78
DarkCloud
f97bca3cc65f895a62070daa10fdf31cb0a700db5dc872b1cba3b09d1c2f2b1a
DarkCloud
+ 5'576 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/221206-hxnp7ahb4y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
509567b7ff1fe8a4f690297f9767633dad8f48588d02f9429dbd32090774e6a0
MD5 hash:
b80935d19fad50a348f8148d38b8a2ee
SHA1 hash:
ff30e011d1bebd0d8cf3e32a6ecc66447c7a2c21
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
b903b19f9884e6fd39701e7216039d11e0cbac3bb52a1e21f3f16eb9fd2a7167
MD5 hash:
d8a2b8f2a4ba9e10bb7ba26133b4a662
SHA1 hash:
e2f45eefe90458ffc6a584372c234c7c024b8d11
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
5f8c01f944607c58a0cc4032faa79e2c1fb8d1a1809bcd4f9175107429ef9773
MD5 hash:
52ba94dae97a9c3e631e238b333ed215
SHA1 hash:
bb8911c3cd8a84d6f74086a163242a9c4f15813c
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
88078b56ee5fa955d79d494f1ef1ea20bd982aa54c6ea3c67bebd8cd9812a235
MD5 hash:
6d2a1eaf2a3aa9a9815b112c2a5020d0
SHA1 hash:
b48d322b48b885d34934815a2da30ad198239e65
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
63e146bf041a0de62105e6b2a472bfb412b7a12fa2aedaaa8dc03daebac7593e
MD5 hash:
db1fd1ef18f11735edc5b9cca475f94c
SHA1 hash:
112e53a9787694e0fbcd57300f470f214e806c8e
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
SH256 hash:
32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67
MD5 hash:
d0e387f55db27f73bc3728bde57b6af4
SHA1 hash:
35d434ac92f05ddfb2b4a733b9f00215967ae603
Link:
https://www.unpac.me/results/e27edb6c-4982-454f-9181-ed9acba77467/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 32689f7a963dbea9368bfbd0df3c10a6df56d41265cc06f99af841565571fc67

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/343265/

Comments