MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
SHA3-384 hash: 9403ed7072a175bac607e5b484d18c2629802602f19144381232d942ccf37a0791a62d18f633d594dffc8d198670d477
SHA1 hash: d853a610f2c79090dff0c691582c97f7c388c774
MD5 hash: 45ddb2f5915c93bdf4e46beddf518240
humanhash: speaker-thirteen-uranus-massachusetts
File name:3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
Download: download sample
Signature DarkCloud
Create hunting rule
File size:931'336 bytes
First seen:2025-09-05 13:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:57H96LiBKy1Fyf7NTqZHRXMQ4CXaJc++1xaW0+ezKRd8Lh3pHuhIKClhan2NUpmy:5h6OBKKGyHR8gz1xC+ez7LdpHu
Threatray 584 similar samples on MalwareBazaar
TLSH T1341501983111F09EC8A3CA3589B4DE74EB657D9AA306C20395E71D9FBD4D6839F102F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
Verdict:
Malicious activity
Analysis date:
2025-09-05 20:06:22 UTC
Tags:
netreactor auto-sch-xml darkcloud ims-api generic upx
Link:
https://app.any.run/tasks/1f00006b-bce4-4b21-b652-a8e458aaf30b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25600/
Detection(s):
SecuriteInfo.com.Trojan.Clipper.617.31889.30706.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bae1823e988eb6ab83c7de
Tags:
micro spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated obfuscated obfuscated packed packed packer_detected remcos signed vbnet
Link:
https://www.filescan.io/uploads/68baedce37c25fcf12d4cc0e/reports/c2c64401-8d40-4766-b6f1-ac9fc7f33942/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T02:14:00Z UTC
Last seen:
2025-08-21T02:14:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a55a37f5-d414-42cb-ad31-4f68ba6bc1ad
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 05:20:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsc3og4mzwxcg2tr2rbgv2uilpiw5y7coygz5mze37hcuvjn3e4a._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
DarkCloud
37f4c5e75ad2232303971fc700edc714e87e3b097399d12942929da2c93994b0
DarkCloud
989abbc447fdf6d9082210d06760f3705c6f07b4020375b78640248fe5b49d14
DarkCloud
9a52dba414a32c7500633df7507c7b829dfd57e7b0291e31980877d37d2b2941
DarkCloud
9d868f31c6cc17e3c71942f41008ac4e91c9141f2a48570cde35dea5efc5115a
DarkCloud
error
DarkCloud
fb1806462f6d45cd02fd9bed15bb54b5a82e5109c4b09e6b0d8bd80f831008a4
DarkCloud
+ 574 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250905-rctkdabk5z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8006348346:AAFxBP2Fxhqr42hjwj_-WYaqfhUZomjSXEg/sendMessage?chat_id=6311012313
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3951e5ef-9909-4771-a0cb-b51ddb2bccda
Unpacked files
SH256 hash:
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
MD5 hash:
45ddb2f5915c93bdf4e46beddf518240
SHA1 hash:
d853a610f2c79090dff0c691582c97f7c388c774
Link:
https://www.unpac.me/results/a3f87e02-dd06-4c75-b163-66bf1651b8d8/
SH256 hash:
96cef1306a19b88e91cf1726ed7297acd1cbfe1609af2d92fe47419519a57a3b
MD5 hash:
fa94cb530c519a2c5a6bad07925ac722
SHA1 hash:
5570bc815dd849a1af2333f739f301f31cbf9ce1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a3f87e02-dd06-4c75-b163-66bf1651b8d8/
SH256 hash:
6f663c04d0d98abf75bd5202ffa408fa727502c199f42f5d9b8b3e50f4ac3781
MD5 hash:
3bcbe25f8ad2139c0bb3501fcf9afc5f
SHA1 hash:
a7a91c6b0fafeac319c6bf429fd8799f9670cba3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a3f87e02-dd06-4c75-b163-66bf1651b8d8/
Parent samples :
a1a9a1eb021b4358e6585bd24332ec331ab91973b4286eee6f82f778997bfc33
dbc0e8b108b4e270877bd6bab0e90e45a206065733483d47481bd8f3638a3001
0ce45ef5e6b470b80e4c7079377953db80ecfc5393fb76ee4568fa334c613924
85743dccb07d50949999575c8fc62d04ffcabf8e15802f8c5c4d7e84243c846f
9538c650eee9f57c5927c90dbeb4e37b9b84ac157f49e2aebf182cb1258e3f5b
2107230497983a8313e0776ee14087ec2e7b9ebf63f39378f3d29846b7492f27
0a4de4dddc2313587610dd1d69aaa99d8b350b5bb888dd54ffdd5bbb246e5a75
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
ca5b85e2100535294f607ba63fa782b2652397c1c1258fb0d15ad256a6f779e5
66513d2b0ca211cd190997156119713b7b8704a49a28fb9a8328749b9dc2cd45
ed17eb2e83fcca67ba66de21c6357ed58d2c684793aa0e7364e120c189488a6e
632a938f27ff96c7c959eb321c05478cef7ac11fdd8db11eb22307d3fbe5fb35
dfb47b0d9362c1584332c02f37e614f8e54a3f9956cc3df38dbacd20c40c4db5
14fc010bba506071a73611d32fd83f0cb181f0ed6d7675f736000c7cd2c4b6cf
c43e60dd4fe89c7a4927b13c24972ff021986196b1fafa40e9cdc5ce81b0db5b
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
57ddc71d4ceabf26512f5bf88152f41b543de6cc7080b8d5660c43badd4dbd4d
e2dc30f133c91cab67e24cebc23291f6953654e16d4ea2621dd64dd500c5cc9a
44125a5ef2f4e177d83ca26e4c8b0ec8fd228b393167e314d79de1de0eb7130e
68b9da7d7c581d929c84aca89b0d7418c6b2e04a6c93d1045e59052a7bedb6fd
4a200b42ba8a718bb929d36b694cec5271310e0976b844fa2f97a6223384dad7
9f5e1c5ea05a6275d90bac217e0fd8061c7e87e174b69bcdd26625e873c7579b
4fd694eea69457f8141a22cdb979e68a321ddf53e74ea6f392360b86b12e9944
087a67230ac4ad7bcedcc58aadd2ad2c4a12590db99f4ee7f00dc299255faab6
aa8573d46623ece59532f343f470aaa82a28cee22f00ed2b9b004db3a7810e05
5078c343420073ff89ed24cf79285abacfe4701acd4e33ccdefebb923441d352
ad1ae745d835753f3536d17187afeaca8c6b4fa7741aa7442778de132c6bb0b3
517f289ea24bf5a5270a83308aff7b392fcd572daea4448978ef7001d53b4a73
544d7bd464f262cdfda14e6df09a8b4ba3210867c0955eebc4e86d757f861238
8c26e45232a6156e0aa26e97891c87be699e0790bdf3f048fb9fde6b9b94e794
73641bb814bd6e10ce0fa31212e08f24e705e5d4a67d4c5367a1d8331b55da0d
989abbc447fdf6d9082210d06760f3705c6f07b4020375b78640248fe5b49d14
6181588754a45750b20eee8e9d3844f14d85b0869bb860134cc240ac6f6d90dd
331b4062e2bd91848560e3d76e2ad7f34fec3be595f3925f9eb45326085966e7
9d868f31c6cc17e3c71942f41008ac4e91c9141f2a48570cde35dea5efc5115a
46411b8001c1bec2f2ef0b8e4ebebf0457ecc0eec2b4693e3e61f1986009320e
d78b1315a596c3424ed01722ea7d1370180affa97474a8a4fd55b1bb012c8411
94b39cc6fa738eb8a26185ee588d5998a7f82b39a67a7312f5202a3e4ee7af78
789217599c1f3acfa58bde73eca30d4f0bd9c8184fdfe37ffa7339d321cfe266
51b036522abdbc3cd223aaa8dde959ae3f02b80bd1955f61442fcc8e15696a88
f0e55b1274addd245c00942b61bb7e9f590fe64b9c216cf85dc0da1d0bcee069
3a882b870fce4e6cc303d89551e6b36741aedf2a97dc8a20163e964a0808f22b
44b569741123469cd19a343c8b33de6e24d77b26763d4692e070aa2b10a3a960
f1722328c89de2120f7cab86b9f88e4129fb7e419c8c0c699d43317553692de7
76cff505d993baaecd718a3b0de1814da0aef73ce932d95bacbc6d842db38807
8cafe02ae7050245022e1afdd9552286c7d3cf944d15cea2d4c7f74fe909e2ec
e15aad8afcd267221fefba1c7e17def943fe8f02bfa4295a45ba76a745d3556d
af3c9677ddb4f4989eefa3f4dbc7c2c61067adfde4203b106939e13def66ba22
007cd810db2b95805793f8b38d89946479092c54385a4e127bb9dfe5512ade1c
aa1badc8a65a7e941f3e9e9ed3e7ab9ff565900904e57bcd8e5428c6b900d522
374c0585a847123b53c6a0882073830abf04829ecb038e0bdad00cf458bd16ee
a44128afda43c52008225dda2f60357b13030df3f639e42cd83c3e35e0e8c09a
898fa5e7ec65acee299dca750e5369836bd3453aad9e7d5fe5e6061ee24e35d3
8317cc0a4d4b4c3776f6f572da2635063a6244f1d9846c8fa8754ab085c555c5
c6c671502b3a65de6a8ab2373fc24415cac444c4333203e47bd3598bd0104f4b
d431af117842085de4eab85ddc86bc5eeffa0130a55b9651aada9553b54d5e13
00476471d950178a2fb4725999ac7aa090424a08121fb10b202cbd51a57bb4b8
1f60712c0d173d50aba8f766c49d4c70588d3315b701756bbb785d7c513b1c78
35fb644ff75750a53c894f52fa160ca37af8370c99a2877d8e3d84f1ffae5b2f
31ee9e20db0bf4c49fa560640005056239d41f9349516ddada7fe5fec89e7060
ea71d7dc55ee33978d98af1897d65e9bd1fc48334d7fb405a3238e47d48a05dc
57ae7edf153dae62714e31efabe20bcd93fa7f69f9ffe3f69b6150ce0cc7e92c
27a028ec14e0d0a72a308a7bd7d46722d52bfd988e0776ceb0a60db751af7c3a
3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938
2261076a897c78824d78af89c1a409308893eab0242e7e04399ed7b7b6c7d245
SH256 hash:
817120046344fb4f726e522f4c423b5198c38f17d3ff2b275824dac06286ef05
MD5 hash:
ecbade2fb57749aee6ca66d7f5712117
SHA1 hash:
cee77120c911b25c9a94211ace9a5a148b4de9ee
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/a3f87e02-dd06-4c75-b163-66bf1651b8d8/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/a3f87e02-dd06-4c75-b163-66bf1651b8d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3485b71b8ccdae236a71d4426aea885bd16ee3e2760d9eb324dfce2a552dd938

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:attack_India
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25600/

Comments