MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce
SHA3-384 hash: 8311239471296cefd018581166202c7b4991e2a62113666f81c3e02f4e20938b01eb308c0b808f67aba2f7de0d4745f3
SHA1 hash: 6e626e94ea13fe1779213a0ed068847e2a37bd5a
MD5 hash: e5ee3c3c38269df2e34a350c16642a33
humanhash: double-jig-six-bulldog
File name:Inquiry.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'656'320 bytes
First seen:2025-02-24 07:42:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 346d3e06163674309003d6be3630743e (1 x DarkCloud)
ssdeep 24576:VyHFdBWDMJYGbZlkp0JuGbtz4K2W/s0nqJRM4qCyZ65p3aLpZsAn:V8IDakpKVbd4Kj4VyUQpZsu
Threatray 29 similar samples on MalwareBazaar
TLSH T12575E02263D04E33D1224939CC33F393751E3E2C2934A94766D5AF5BABE4188ECEA557
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 0403115c2e2a1508 (2 x DarkCloud, 1 x DBatLoader, 1 x AgentTesla)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry.exe
Verdict:
Malicious activity
Analysis date:
2025-02-24 08:44:58 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/ea335ef2-47eb-4e9c-8a28-4c7674bac6b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bc22d728ab76d43a5ccfea
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint keylogger obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67bc22dc3afc3763bec35211/reports/9de807de-009a-4c9f-b581-5b6148151c18/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d6d44a0-8735-48a2-986e-1907d9dda457
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1622499
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Yara detected DarkCloud
Yara detected DBatLoader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1622499 Sample: Inquiry.exe Startdate: 24/02/2025 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected DarkCloud 2->43 45 6 other signatures 2->45 7 Inquiry.exe 1 7 2->7         started        11 Cmrtpquu.PIF 2->11         started        13 Cmrtpquu.PIF 2->13         started        process3 file4 35 C:\Users\Public\Libraries\Cmrtpquu.PIF, PE32 7->35 dropped 37 C:\Users\Public\Cmrtpquu.url, MS 7->37 dropped 47 Early bird code injection technique detected 7->47 49 Drops PE files with a suspicious file extension 7->49 51 Allocates memory in foreign processes 7->51 57 2 other signatures 7->57 15 cmd.exe 2 7->15         started        17 cmd.exe 1 7->17         started        19 SndVol.exe 7->19         started        53 Multi AV Scanner detection for dropped file 11->53 55 Allocates many large memory junks 11->55 21 colorcpl.exe 11->21         started        23 SndVol.exe 13->23         started        signatures5 process6 process7 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 WerFault.exe 20 16 19->29         started        31 WerFault.exe 3 21 21->31         started        33 WerFault.exe 21 23->33         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2025-02-24 07:42:11 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwt32wmhidrgmqt53unaeej6x5yjz5kx2d3pov7tuzae3vbbpdha._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
dbatloader
Create hunting rule
Similar samples:
0009a5bb1bb1542c3663bc48457b7391c940ad8284d92996fa8a058fc4b5a8cc
DarkCloud
048cd5681bad97fa342f12ace152238c14602511f38478442cbda10c91f70ca1
DarkCloud
27631e88462342b700862d389d3068b166e0b30406cedb7b888d1900b7cc06d9
DarkCloud
3f7d4827bfbe25072981dbe089ca358e317f42218d654cf31486cdf9598c16be
DarkCloud
4360efc190c8e1b7bc3b2c8b6e469a1b2a23d08b895e69e97e1abdc2057db037
DarkCloud
64f5db0e506c5eb6e017743991cdc6d015737d6776100b0a9906f0256e42ee6f
DarkCloud
820a12d9d465245b47965d8d82101411b57fdb064e89322a84bf9a0f5599254f
DarkCloud
88eb723b69a1aa35577ada15e24ede633f579083787b2b4a773fecbedf507347
DarkCloud
d63fafb306b46296ec8c307006db98df532dc97118eaa0ba1c56252ad580d9fc
DarkCloud
e5c3febab37a06659361fbfb93aff167b685270ba63a71a86fa9892379abfbf3
DarkCloud
error
DarkCloud
+ 19 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery persistence trojan
Link:
https://tria.ge/reports/250224-jjsbwsslhm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73b25d94-236a-4131-95bb-6dd0f1a0a089
Unpacked files
SH256 hash:
35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce
MD5 hash:
e5ee3c3c38269df2e34a350c16642a33
SHA1 hash:
6e626e94ea13fe1779213a0ed068847e2a37bd5a
Link:
https://www.unpac.me/results/62b167e3-7a81-4446-a854-2360019c9e8b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35a7bd598740/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 35a7bd598740e266427ddd1a02113ebf709cf557d0f6f757f3a6404dd42178ce

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::PeekMessageW
user32.dll::CreateWindowExA

Comments