MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
SHA3-384 hash: b2930ccbd8b7e34d56828624f1efea65ee9775c7d697e69b7ded85e8779682a52b12a7475b3666c97c10567393c32cfe
SHA1 hash: 4ca5ce802af1d29dcd1c4f1cf4428cb20d111925
MD5 hash: dc95bfefb5e26c55ff5efed30c817515
humanhash: ack-kansas-pizza-five
File name:金璽CCIC 0408 inv 4-18.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'346'439 bytes
First seen:2023-04-18 04:49:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 24576:DTbBv5rUDwcywjLAXjXXRQFX8KZtB34NPPFDXpUUBQjqfYTfz7V2EggiVEH:dB1cLjUtQSo4N3PUUZ8V2Egm
Threatray 556 similar samples on MalwareBazaar
TLSH T19B5512027BC1D4B3D0620E365A66AB21AD3D7D605FB58ACF73806A5EDE322C0D6317B5
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0c7e6a74e0f0f638 (3 x SnakeKeylogger, 2 x DarkCloud, 1 x RemcosRAT)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
510
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
金璽CCIC 0408 inv 4-18.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 04:50:25 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/fc25571a-efeb-4e71-b60b-5a2fcd49430c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382912/
Detection(s):
Win.Dropper.Nanocore-9987974-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80140/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm autoit explorer.exe greyware keylogger overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/643e217c48716a65fb203ea1/reports/6bf63c77-9f0a-47b2-8fad-73488881bdac/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8ce26ab-8ab7-4c76-8c4e-97690708d235
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215627
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Starts an encoded Visual Basic Script (VBE)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848555 Sample: #U91d1#U74bdCCIC_0408_inv_4... Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 8 #U91d1#U74bdCCIC_0408_inv_4-18.exe 34 2->8         started        12 bdxqep.pif 1 2->12         started        14 bdxqep.pif 2->14         started        16 bdxqep.pif 2->16         started        process3 file4 46 C:\Users\user\AppData\Local\...\bdxqep.pif, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\idnhddr.dll, data 8->48 dropped 72 Drops PE files with a suspicious file extension 8->72 74 Starts an encoded Visual Basic Script (VBE) 8->74 18 wscript.exe 1 8->18         started        76 Creates autostart registry keys with suspicious values (likely registry only malware) 12->76 78 Writes to foreign memory regions 12->78 80 Allocates memory in foreign processes 12->80 20 RegSvcs.exe 1 12->20         started        22 RegSvcs.exe 1 12->22         started        82 Injects a PE file into a foreign processes 14->82 24 RegSvcs.exe 14->24         started        26 RegSvcs.exe 1 14->26         started        28 RegSvcs.exe 16->28         started        30 RegSvcs.exe 16->30         started        signatures5 process6 process7 32 bdxqep.pif 1 3 18->32         started        36 WerFault.exe 24->36         started        file8 44 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 32->44 dropped 52 Antivirus detection for dropped file 32->52 54 Multi AV Scanner detection for dropped file 32->54 56 Writes to foreign memory regions 32->56 58 2 other signatures 32->58 38 RegSvcs.exe 15 32->38         started        42 RegSvcs.exe 32->42         started        signatures9 process10 dnsIp11 50 showip.net 162.55.60.2, 49698, 80 ACPCA United States 38->50 68 Tries to harvest and steal browser information (history, passwords, etc) 38->68 70 May check the online IP address of the machine 42->70 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-18 01:49:30 UTC
File Type:
PE (Exe)
Extracted files:
100
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4qdyogbdnjjxdiqhaw7wyiooooowog2v2f4dqm7fbig5xz57xiq._file
Verdict:
malicious
Similar samples:
13ce470fae6d0e88415b25bd7eb623c6aebb9183e9853c23d31921e7a37c0af3
DarkCloud
194f755147e8c616d0218d1e1b4e1e0a5c9373edb5e295665ab46cecebc05a5a
DarkCloud
209796f7defbaddb78d4068d6dcb5c2bb81508987eb3a07090513d5171cc9e69
DarkCloud
331c2f4bff1f7b905846094bf883b8d67efa9f6698c57169bff85fd4382da009
DarkCloud
7c9b76501eecbdb69cbb772d949560a63312a7c714d685a4767360474fe7abe4
DarkCloud
8950ea9b316232851e595d026da62e01421b47d39f7306601abaf3de87f3254e
DarkCloud
97a6c2608c1e6c30e08ef783b41087ae099d399e0c3ded19a111878e12e4965a
DarkCloud
e20a204e05f31d87560e84607108297c3414a16775110ac2f6037a5107521b84
DarkCloud
e59bfbd9a59b19bdfc2c7435858396d1ec99e5ddb5cc59c3c98e8c2e1bd5c947
DarkCloud
+ 546 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer
Link:
https://tria.ge/reports/230418-ff9j8abd4y/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/948ef4bf-2c0c-4373-9015-e8d54a35ba11/
SH256 hash:
d0cab21402d3cb3e36b75760cd7418675ae2a1d7a787dbd89b3669eed3d4a8dc
MD5 hash:
d0e2f9ec745b7771eb4a7147f77b8360
SHA1 hash:
f0dc0e9479901191f5d5411c1721d1929acd5414
Link:
https://www.unpac.me/results/948ef4bf-2c0c-4373-9015-e8d54a35ba11/
SH256 hash:
afae5fa0e893068308f22b2bc6e98be3d7c6502d7a6e4a71a2e732d2bb471f81
MD5 hash:
e8fdbe080119bf15fcee4bd56133f339
SHA1 hash:
774e02358cb56e43b991e8dd3f3264329a50a4df
Link:
https://www.unpac.me/results/948ef4bf-2c0c-4373-9015-e8d54a35ba11/
SH256 hash:
37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1
MD5 hash:
dc95bfefb5e26c55ff5efed30c817515
SHA1 hash:
4ca5ce802af1d29dcd1c4f1cf4428cb20d111925
Link:
https://www.unpac.me/results/948ef4bf-2c0c-4373-9015-e8d54a35ba11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/37203c38c11b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 8f5a7c995ae239f4909f92bdd58c633c7f37d1f30abfc5ab5e4b34c916ccd0ca

DarkCloud

Executable exe 37203c38c11b529b8d10382dfb610e739ceb38daae8bc1c19f28506edf3dfdd1

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/382912/
  
Dropped by
SHA256 8f5a7c995ae239f4909f92bdd58c633c7f37d1f30abfc5ab5e4b34c916ccd0ca
  
Dropped by
MD5 22675457013bf1fb589a75d26b7c3061

Comments