MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
SHA3-384 hash: 22c8dd6d157aa82c67cdd4160f1563a71f3b5c2aea5ea3dd17dba2a0e7c9f3393f017afb65860532ebdc732b8e7287d2
SHA1 hash: 00c55d38943818dcdc9242a5fe2cfec977d2c411
MD5 hash: 3c4527dc61da9a0c8c17b3177e634a9f
humanhash: avocado-jersey-nevada-mirror
File name:3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
Download: download sample
Signature DarkCloud
Create hunting rule
File size:484'352 bytes
First seen:2023-04-05 15:44:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab1f67286790bad81d99cb0480169060 (1 x DarkCloud)
ssdeep 12288:W8wFE98FsRkv/ta/GkcenDbGI4ovU6zKjkuQjYKkJj6GmZU:lHbw6zKjFGYb6nZ
Threatray 28 similar samples on MalwareBazaar
TLSH T154A43A2AE710F02AF897C8797B919257A81AAD731140A82FF7919F8935316D3D0F136F
TrID 51.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
16.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
16.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
4.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 06f692c2529ab2d2 (5 x DarkCloud, 2 x a310Logger, 2 x Floxif)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
Verdict:
No threats detected
Analysis date:
2023-04-05 15:44:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6287bbdb-d556-47bc-a7ba-990899d62e5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380388/
Detection(s):
SecuriteInfo.com.Heur.ManBat.1.15191.25025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive hacktool networm packed shell32.dll
Link:
https://www.filescan.io/uploads/642d977f5df5c94ab9b87dd4/reports/cd19b95c-1a2c-45e9-8d4f-11c3e537fabd/overview
Verdict:
Malicious
Labled as:
ManBat.Generic
Link:
https://www.hybrid-analysis.com/sample/3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9dd44c9-0444-4a7d-9266-7779534059b9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1208990
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520/
Threat name:
Win32.Trojan.ManBat
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 15:45:07 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h277fgu3e3zks2brlj5k3inwvkefv7kwudmnktsyou3ryqw5guqa._file
Verdict:
malicious
Similar samples:
174ed156f6f1c67a8b09b72ab463b69c2d9aae053a5dffb6d4630bdea6308153
DarkCloud
5f8e2b838a675ecd820088d6c390a7f77cfb86f866648767ef51da2c3481b013
DarkCloud
630f2becb05a49664975e0561dd7f4a45690c3cc1c039816c5b1961caf0c2980
DarkCloud
a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
DarkCloud
a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
DarkCloud
cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
DarkCloud
d9fb5f10465038710b0e96b46a5e97d2797667c6c07c5246a4d9f49233055ed4
DarkCloud
de19b88c284dcc4b18ea43b7e4dc96679ea39dda05016869cfd2c0aac3132a1c
DarkCloud
f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
DarkCloud
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-s62nhshg5t/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/37ccaf4f-a12b-431e-b801-df5134a664c9/
SH256 hash:
3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520
MD5 hash:
3c4527dc61da9a0c8c17b3177e634a9f
SHA1 hash:
00c55d38943818dcdc9242a5fe2cfec977d2c411
Link:
https://www.unpac.me/results/37ccaf4f-a12b-431e-b801-df5134a664c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/380388/

Comments