MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 16


Intelligence 16 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
SHA3-384 hash: fcf23b9b42e27cd9b5233925f4a7d83cf4298d8b3c9baf47db794f91d3752a1feaf39c7f8fdc6a300c08d101703a4e5a
SHA1 hash: ad22ac169b20a2f4d144f68026bc9354aadbd2c4
MD5 hash: 2ca18650027e65990776435f51baf9ea
humanhash: cat-hot-undress-freddie
File name:New Order 6886AR9696996.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:558'592 bytes
First seen:2025-02-11 13:25:17 UTC
Last seen:2025-02-11 14:49:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:g0rk9UyAbubvjBGVMJkhBcnssn6H6cKYdse4Kgx2/omjSOz205LFXnRcVoCOgvnx:I9UyJqU/nssNcKYQKgxmS0zhkxOg/x
Threatray 7 similar samples on MalwareBazaar
TLSH T105C449095FAB1B94E91E6E3B152C19C067DAF3D1E4AC5D28080DB6333AF9D1A5B31732
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter TeamDreier
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
447
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order 6886AR9696996.exe
Verdict:
Malicious activity
Analysis date:
2025-02-11 13:28:30 UTC
Tags:
evasion stealer darkcloud upx
Link:
https://app.any.run/tasks/fcdd3803-d559-42b0-a410-7942118aabfb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.27852.14433.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ab5042f667f46cd1830616
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected phishing
Link:
https://www.filescan.io/uploads/67ab4ff60492399730586062/reports/23934543-ca47-47b2-84f3-85d3ccbf71ee/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1642d78e-da94-4d28-abbb-8cb90a440a39
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1612077
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-02-10 02:29:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gp5yvcu6wfxku6wunx3ssgbzmjhopat6p2xeij4foojikcsj7eka._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
3bcb2edbdb58b3f4b04b1629b76a7b91c22077e5d021599c22e8c0fb97483683
DarkCloud
40644b368c1e04cbb944236729d0ecb6f7d5b0f102a14c2ec83e72da6a8e9732
DarkCloud
842c70e16adba3414dcc87d73c8b44330ce4721164973c6f8e8deb66d60a18d3
DarkCloud
9116e489568656d24b28ddc5150f55f3010c3516515254b06cd8151437bdc6a3
DarkCloud
91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070
DarkCloud
error
DarkCloud
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer upx
Link:
https://tria.ge/reports/250211-qn8b8ssrgn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/056e8596-3684-4a55-b7ce-2e0c31b57d0b
Unpacked files
SH256 hash:
33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
MD5 hash:
2ca18650027e65990776435f51baf9ea
SHA1 hash:
ad22ac169b20a2f4d144f68026bc9354aadbd2c4
Link:
https://www.unpac.me/results/5051cbc0-5612-46f5-8d0a-fbef43ad7bc0/
SH256 hash:
62f087278554b14e7b32d5f5efb20165f509c143ff38ebb742f0cdd9720592af
MD5 hash:
5d4ce466969e31405e1bb07cebbf72d4
SHA1 hash:
3ff3c2db5c6b1441c5e1b2f951f43596cb2cec0b
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/5051cbc0-5612-46f5-8d0a-fbef43ad7bc0/
SH256 hash:
ecb129cce94db8594bc69eda1ead471db15bdd784afc9a2e8adc56ef3bb71888
MD5 hash:
27c52e96a5804196921c61a1c22172ea
SHA1 hash:
45c12029ad318a8240e75305e89b61a06532c8af
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5051cbc0-5612-46f5-8d0a-fbef43ad7bc0/
Parent samples :
4ca6c67a91a4186d98691455cf74d78d5ea807a35671d0fe7f267d26d28a887e
d31208b71987d8cdbb8affc975333950516b6aa23951020fbd536fa27e1d1f0b
ea182b46e91f32537a6220caf8c6afab856db2a1f54ff078d2505fce84886317
5b72ed928f8a9e98082f9d22d1966a0bfea8222c51041311a6ab5b1339c8f95c
33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914
5a4e470b3209d805f2c4f0707795907a5e5d2964d1ec35b9b42eb8e6d5dc9f82
02a3bd948e6463c2dc29482b77286aa13e7c76043a16fffd0b0ce05e53c1c68e
e7e58774286c3f86656f253e5b53bb32c02ba2cb5eff739bb40e4d8853bbc4de
ae82af7dac57877f2da402544bd5af774710be29e388637d8a6dcb8e2c198de5
e75ad8565d853b8a08df2e9b75f0df4fc8fe9b14a0fc3d796aeb3c8b6751436c
fa990d3b037070b8dd038651325ffb8ddd8fa709a74fb174cf423131939457db
4949207a1e4bf8bf1235e0b3edcdaaaafbc51edcf7dcf2cc81fdb1cae40c29d6
ab22c9a93a1dff9b41a681a2579773e797146ecefd0dda4c574f258004dbf8a6
2050666c34009e372410eec0c7ceebe8021e6752c28b2087d1723cbac83a5bc3
a545367132b0ec9df0538a1eea261d64a5c2c986b3d9ff09e2e11e0b3d21faba
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5051cbc0-5612-46f5-8d0a-fbef43ad7bc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 33fb8a8a9eb16eaa7ad46df7291839624ee7827e7eae4427857392850a49f914

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments