MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a
SHA3-384 hash: 4e8a4824d38e22d5e25a8cc61ab01240e7573d88007091e508c7c97a6916b49b1d13c9cd93d512a9683e2448346a44b7
SHA1 hash: 9c43f9122ab6398cb433a8fed1c3b84b23747fb8
MD5 hash: 1b7d87067f9aa8b7ffe41586783203b8
humanhash: ceiling-north-ten-winner
File name:Invoice.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:961'536 bytes
First seen:2023-05-15 10:15:08 UTC
Last seen:2023-05-15 10:22:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ymNqrFiowE8BJa92kQa1WRUA4zpC1m7/:SiowJsQIp81O
Threatray 1'255 similar samples on MalwareBazaar
TLSH T1AF15F2882237BCDED5565A7226443C538E3DB12772B960BCA91B748DCD4E8538FE06B3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 35caead8b495ca30 (1 x Loki, 1 x SnakeKeylogger, 1 x AgentTesla)
Reporter threatcat_ch
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-15 10:16:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b065e8c8-f6c1-486d-b078-f83d365569df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390009/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33691761.3784.2510.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/64620662edcf46739b7d30cd/reports/0dc08241-8511-4f80-9a34-616410c23358/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ef52b81-9142-4119-94ad-69486790bd04
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1233601
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 01:05:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izig4bhzlrrz4eb47uv6ip2w5hs26xy2hw3mxfmiubintwccu5va._file
Verdict:
malicious
Similar samples:
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
DarkCloud
17fc4205571ea12188b9ed8b5659339e305ebc54bace4e3ba62c72c6b61cdfcf
DarkCloud
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
DarkCloud
55182f40b8372c9d9b9f8d5d59ce387b19acb5e355af6a40a6bfbb0bf64bd31f
DarkCloud
57ff6de510ccaa060efa53e2c9e1c1b8c3b132fa55289a8a7ecc321a5370043a
DarkCloud
750d5447adae2c21802da6fb6a7374f50563ca0cf99382510d60cf9c94995a85
DarkCloud
c88dd07515cb029ada85020dfdc2e20768861c9f3c47855d5b07a62daa3381e7
DarkCloud
ed6006755e51eded9bc077db183831125a767b605fddd9109a635b3af7e4f8f0
DarkCloud
f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017
DarkCloud
ffb19cac93e35be747f5418116248e185687596877812115588cd59763d1ed15
DarkCloud
+ 1'245 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230515-mar7bafg38/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5747177798:AAGv5MNvuUjtsZ9QlXMkdP6QssoMkGFSw6s/sendMessage?chat_id=805410216
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
cce10a7ccdf405e36d308ab3c0c62965bc43e36e2453cc1d58b1750bc4d19bd8
MD5 hash:
75d97481d3f4337cc853686e7c6c669d
SHA1 hash:
97ed38a3f4d4736581a1623247f1d0c73e7aa8fc
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
43f825c76e7a6ff9a5cc9345cee050a8b9921ab407e059f86b051b1e28a0e9f1
MD5 hash:
306c92cf15904d47de134873f2d8f87e
SHA1 hash:
6f080aa192d446b27bf39d921d89e1b52cb9b73d
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
64766dccf31959f82b64a8a3d32c5e2d3a9a9e396182fc4585a10ba0adcbbd3b
MD5 hash:
1475ae99116f934716ec683954fe29fd
SHA1 hash:
0864b979ae6a3337cd61a223f4ee81024fecf10b
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
SH256 hash:
46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a
MD5 hash:
1b7d87067f9aa8b7ffe41586783203b8
SHA1 hash:
9c43f9122ab6398cb433a8fed1c3b84b23747fb8
Link:
https://www.unpac.me/results/80a26408-c588-4839-8755-33c3bebd7c43/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 46506e04f95c639e103cfd2be43f56e9e5af5f1a3db6cb9588a050d9d842a76a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390009/

Comments