MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa
SHA3-384 hash: ad214c22901ea685643303e86e8adf274edb3550e433d80a332fa8eae889a387543d726b70e571e542a938f89a5eb98d
SHA1 hash: 67d7ed154fc882a6aa5a95802eb573f2401019fe
MD5 hash: e98d00f968fbed03368f883ea3ecff76
humanhash: fifteen-fruit-oranges-bakerloo
File name:Ziraat Bankası Swift Mesajı (8).exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:886'784 bytes
First seen:2023-04-19 16:10:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:c3oo/3xlCoPCC4N1vx5TqNMFiBTbCHPKlHN/n:U9/xs4CCs1v3Tq2F8TbQGHN
Threatray 292 similar samples on MalwareBazaar
TLSH T1B81512ADB7A9D9E7C66C0FBD4406B1487F2090E67637C638DF47809DEA87B081D91683
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DarkCloud exe geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankası Swift Mesajı (8).exe
Verdict:
No threats detected
Analysis date:
2023-04-19 16:58:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d37d758-f3e4-40a1-bbe7-f26be8c319c3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383483/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644012a07a31c790ffdbe18d/reports/7a7dd6a3-53a2-412c-bd24-0a25eb677c38/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5413b4b-6496-453e-a0b6-98f493504f11
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217236
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hxomurzvdnswiwc6qcjlyvtbz3guhuvbibifggcd2gx57p6lpx5a._file
Verdict:
malicious
Similar samples:
09d16715756085ded7748ecdaea1e54e91304db6471ad9b79deeafe64e390224
DarkCloud
0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
DarkCloud
23af85d9373c400f00f17590112f4545c9a522427bf6e1de80dcb028b8538bbd
DarkCloud
5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58
DarkCloud
67987af9c454a2d990d14f53a2fe1763447e58ed1a5d6deec4d41f258ff6772d
DarkCloud
8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17
DarkCloud
911726d8a917e91553bc20985c0b4562768ba02202b5555be7a0e6ff6e0797c3
DarkCloud
a64f5b5615ebe7e09f5238788ab1e6dfc6e00acc1741ecceba0fbf3930389273
DarkCloud
bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
DarkCloud
ce33f260e52f5ea18962a5993e4275c41f527004b57ccc48d518b4ad3b310850
DarkCloud
+ 282 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230419-tmym7adf9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
09b2da65379a3d057e0871dfdb66288606855274992d2261ea34fb8dfba48b28
MD5 hash:
1deeb3bfb36b51b31a89471cd06fec97
SHA1 hash:
fc17fa8b2be23dae3a1e30ad3875160fc419b625
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
40415c809f7288461c33557dfc07445b9d523761d0cbe62bd40b244f4ea6d476
MD5 hash:
25cc0cd6e4c71c3f66ced2c77dae5814
SHA1 hash:
4af2e8a5c31e628a08080fb24919ddd8fb540bec
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
3590f58f5a84b7d50137f376daf78812505da5c5e1347366e13e3fe4098d9d90
MD5 hash:
a7309961e8fbfcb297f01e316683a04c
SHA1 hash:
0286fc35c47ee99db952ace2fdd4ccbe2c46fa3f
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
SH256 hash:
3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa
MD5 hash:
e98d00f968fbed03368f883ea3ecff76
SHA1 hash:
67d7ed154fc882a6aa5a95802eb573f2401019fe
Link:
https://www.unpac.me/results/bb009e3b-5482-467a-903b-6f62ac87da58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 3ddcca47351b6564585e8092bc5661cecd43d2a14050531843d1afdfbfcb7dfa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383483/

Comments