MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682
SHA3-384 hash: ba9aae152fe7a4e9368b754207849fe2fa2babcfc948222c4c92eb2009f696d973b794527ecfbefaa9f95488ca6615ee
SHA1 hash: 9c84feab6df65ab17fef55baa0dbd0548d62b452
MD5 hash: d481de8e3f2e0c40b943e3fa606eea29
humanhash: orange-stream-india-juliet
File name:4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682
Download: download sample
Signature DarkCloud
Create hunting rule
File size:391'168 bytes
First seen:2023-08-29 08:35:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f705a7c633fffd87c936a8b2631752c (1 x DarkCloud)
ssdeep 6144:NNVnDSy3e+LZu7Zs8zXqjHEWpJrblJcoJXJQhyu6PIynHh8d1/w5KA81IJ8GpF6e:NDq0ZuqGXqjHEWptxJChyVdqjYKkJj6e
Threatray 156 similar samples on MalwareBazaar
TLSH T145845A27EA11702EF4A7C4B1A9A59317A8152D3A1281EC5BF7C19F4A32352D3B5F132F
TrID 51.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
16.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
16.6% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
4.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682
Verdict:
Malicious activity
Analysis date:
2023-08-29 10:00:12 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/99108fdd-7470-45b4-928b-75e57a1c4c4f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445026/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
hacktool packed stealer
Link:
https://www.filescan.io/uploads/64edadff5ec4a8623261963e/reports/60236feb-1bdd-4bb0-86d8-4148cc630d2f/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/446bedf1-b742-455f-99cb-9a01a8b4a19d
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1299663
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-29 08:36:14 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5pqis77uebknt2ycaj2xwi7fr4zcupxgqyp3vhjtuplnenvc2ba._file
Verdict:
malicious
Similar samples:
2226d275fd8186f1b0c51908cdc8c75a374339f9515d950c6c73aabbe9127108
DarkCloud
39c3188d01340e7dde2d297ac10dca13ec5fb3299ac57c2259dd81007660206f
DarkCloud
3e4c08f6c576544f406c83ea2361fadddc27361044b615e391fff3d9bf4e4ca2
DarkCloud
547cd0ab1f4369a1f7e6477acf6a1440ff44ed8f8839a77a0317cb96f7dd088b
DarkCloud
5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
DarkCloud
6ec733375cbfab2bc5cb2c37a453a9384e3a5030aaac4f937b0c7ddedae32053
DarkCloud
9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034
DarkCloud
c587f99ca9d68ca527dc2e28c72fc4ddbd5f2affc859d84d10bfd5c5c80aa842
DarkCloud
d1fcb7d17c9a3b228c9ae974d5ec478212c77eb17f4abff26c400f92dc42a6d0
DarkCloud
d56fba09ff195114fdf8404435b83e2b9e49193e9e97afc3adef35610714462c
DarkCloud
+ 146 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230829-khsrpsed3w/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6028253602:AAFFbacUfiOxmvzuo36D6g83Flf23bpPXYA/sendMessage?chat_id=5954758350
Unpacked files
SH256 hash:
4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682
MD5 hash:
d481de8e3f2e0c40b943e3fa606eea29
SHA1 hash:
9c84feab6df65ab17fef55baa0dbd0548d62b452
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/ab71d357-3f66-4297-b496-8392a207cae4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 4f5f044bffa102a6cf581013abd91f2c799151f73430fdd4e99d1eb691b51682

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/445026/

Comments