MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb
SHA3-384 hash: 340a140933c6c4d98c809a7e9e904bd2db33f398c4533a1459512069df56d32596bc60ad144e8d77327f8f6e116297ba
SHA1 hash: 11c93e550822f2e4e8ca5366e1f2d270d4785ea7
MD5 hash: 525b29804499f54683326bd36d358a40
humanhash: delta-delaware-echo-early
File name:Purchase Order Specifications for March-2023 update.pdf (253K).exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'256'960 bytes
First seen:2023-03-30 16:59:42 UTC
Last seen:2023-04-05 21:00:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:ZmsNORPPda72PV1sjlty/+gpd9O2hyyL7imXSQ:ZmnRPhD3bf9O2h9T
Threatray 48 similar samples on MalwareBazaar
TLSH T19945E1C0E1886598EC1A5B3940B9D8309337BEADA975D51D6ED9FC637BB32C32026C17
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0e39356644063349 (11 x AgentTesla, 3 x Formbook, 3 x SnakeKeylogger)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order Specifications for March-2023 update.pdf (253K).exe
Verdict:
Suspicious activity
Analysis date:
2023-03-30 17:02:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab6c9d5a-76ce-44f2-9c16-173f49c6a0cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378872/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6425c01aca865a884348deb0/reports/5b34e2f9-6b99-496b-ac1c-1231e7b587e8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa86a102-b3e2-47dd-98b5-04d7d3a54fe2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1205399
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb/
Threat name:
ByteCode-MSIL.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-03-30 11:35:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 35 (45.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7cq2fzwfzxnjzj3baxe2annfbxlfswkkej24cper3ferce3g35q._file
Verdict:
malicious
Similar samples:
163db4da78af3020f61a1d98aa27be9377038f4d254bfe84f19ce9c324c849fe
DarkCloud
353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
DarkCloud
6869aea56b539fe8189237aeff9f338691b034ebbfce1688e0f05e080dc9fb7a
DarkCloud
7c69c8b13870df342b88a74c4593de7cdafd313516a613e6d2c358654989b197
DarkCloud
a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
DarkCloud
a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
DarkCloud
cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
DarkCloud
cc98b4e9c790b478e08cc3872bb2db721c32f6e440cdb3cd7bbb938cd21fba59
DarkCloud
de19b88c284dcc4b18ea43b7e4dc96679ea39dda05016869cfd2c0aac3132a1c
DarkCloud
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230330-vhzv5ade29/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
5062f99a5460cbd448d7f9c35d5c05aafa3ce36357be73268367d779dd92396e
MD5 hash:
c499b0e057f46db9f5ad9f0e9181830e
SHA1 hash:
fda2b448e6c7a411e1baed2a8bca7050b9b769ef
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
432baed298b11be97af29f964a929f865bd6af77c4f66921ae328cd6eef37a2b
MD5 hash:
441307c41a8b0f5f67d2c4093d4d80d4
SHA1 hash:
fd4d672179fed9ef8aad623f3fa34d5487f0593b
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
80c96655802bfd4c4d96015eb35263b478af816098713d4d66326c9c143746bc
MD5 hash:
198b24943de10a7f18af4e641bc430e7
SHA1 hash:
d2bf7a7e35168dc0faa6bb3adddee47d59157e92
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
5583716e59855df1555582ca188993b0ca96d7fc65585ba07898cfefc2aa5b3e
MD5 hash:
054732552aa5da3402aea2e9f774af4e
SHA1 hash:
97342c3d97520879e12223920f26924d010133d1
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
SH256 hash:
4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb
MD5 hash:
525b29804499f54683326bd36d358a40
SHA1 hash:
11c93e550822f2e4e8ca5366e1f2d270d4785ea7
Link:
https://www.unpac.me/results/77913d0a-bd38-4636-a98c-35637eb7ca5f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4fc50d17362e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip f37bd7b0b40ed2a3272e82a58e4662afacf1a30448743b7d2b5750ed601e3e86

DarkCloud

Executable exe 4fc50d17362e6ed4e53b082e4d01ad286eb2caca5113ae09e48eca48889b36fb

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/378872/
  
Dropped by
SHA256 f37bd7b0b40ed2a3272e82a58e4662afacf1a30448743b7d2b5750ed601e3e86
  
Dropped by
SHA256 5c62125b7e6db2fb8698da61733a29e4a4d049f6b0462a733bf263c737d0ab1c
  
Dropped by
MD5 696cc5675e5739ea80ef220253226fee
  
Dropped by
MD5 0f904c8c9e79fc815d4b05edda4ea0cc

Comments