MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a
SHA3-384 hash: f74af6ccf630baf92c5ad1854509ef316c7e94a5ee702d5920da7de4c3c09cdd9e6fba45d0d6078fec75d6810765f2af
SHA1 hash: ec1cb879056186e9eba95f2994c9502b17accc80
MD5 hash: 4b202abdb1cec04499a8a626d9568bdc
humanhash: four-fix-may-india
File name:4b202abdb1cec04499a8a626d9568bdc.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:2'430'847 bytes
First seen:2022-10-26 10:12:25 UTC
Last seen:2023-08-26 21:44:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bca6eef833a3a9c7d08eeaa3fa5b1e34 (3 x DarkCloud, 2 x a310Logger, 1 x Smoke Loader)
ssdeep 49152:FtXvnXE1uwOlE/X1y8qtCFcPbTzoh5zNALV8rOPDJyRAgypaTkg9FA0dGscglv7m:FtvXYclEv1Ct6kbTGIV8ruJyjBAg9FAx
TLSH T137B5331D7F56EE25E610B0B395B22E3AC504907BA5A6C424ECBFA4311701FF79F6E640
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 06f692c2529ab2d2 (5 x DarkCloud, 2 x a310Logger, 2 x Floxif)
Reporter abuse_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b202abdb1cec04499a8a626d9568bdc.exe
Verdict:
Suspicious activity
Analysis date:
2022-10-26 10:20:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7d525ef-a93b-475a-89e7-04d07b7393a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324336/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2e80907-67a0-4e1e-a809-519c6da3a388
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1098270
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
PE file contains section with special chars
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-26 10:33:18 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbdb4mkuhwvn4uxngvdwecw3g3vntqsccu36j4xo7nia7x6flfva._file
Verdict:
unknown
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud evasion stealer themida trojan
Link:
https://tria.ge/reports/221026-l836ssfdem/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DarkCloud
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/46c5c428-304b-4bd3-9500-fb677b2fb1ee
Unpacked files
SH256 hash:
3ca22f5117fd1005d5bb935910e3eda00ed32b47784dd50256291341d64f8290
MD5 hash:
022d3f10e614df72b8c04090db6c2493
SHA1 hash:
cf7acac67fff8fdd6ceb4c5f925e5d605dfb3e7b
Link:
https://www.unpac.me/results/8b7b224c-86d4-461a-a506-005d1c44045c/
SH256 hash:
448db5f083cbc57e2f61efb0183de51aba1b6bbeb1eb39df6303a5d1ef21426e
MD5 hash:
adab7ef68edbe7cecadf18c2cfc59cba
SHA1 hash:
70eecac16d3961702119fca3bc2279e6788b5a9c
Link:
https://www.unpac.me/results/8b7b224c-86d4-461a-a506-005d1c44045c/
SH256 hash:
38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a
MD5 hash:
4b202abdb1cec04499a8a626d9568bdc
SHA1 hash:
ec1cb879056186e9eba95f2994c9502b17accc80
Link:
https://www.unpac.me/results/8b7b224c-86d4-461a-a506-005d1c44045c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 38461e31543daade52ed3547620adb36ead9c2421537e4f2eefb500fdfc5596a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2366137/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/324336/

Comments