MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 15

Intelligence 15 IOCs YARA 9 File information Comments

SHA256 hash:	50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3
SHA3-384 hash:	47751f0c3490a1a507c07306ac37a4915dd267852d5425e088d42f60537de519ac958902ff9dafa3b739d991d7e09e69
SHA1 hash:	060f8e4d67d1e3cdf7d15c84a52f502f869af1ed
MD5 hash:	083cae5b023fd67488b667c942a4c7d9
humanhash:	venus-lion-lemon-paris
File name:	50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	397'312 bytes
First seen:	2025-04-08 08:43:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	30c17c20cf59602ee064b785ab702f83 (1 x DarkCloud)
ssdeep	12288:Bf5fT27PnUXFivhA05BlnyE4dmjYKkJj6GmZU:Bf5S7MmBln/4dIYb6nZ
Threatray	635 similar samples on MalwareBazaar
TLSH	T129845C17EE50782AF163C8B1AAA5D267AC156E3E1280AC1BF3819F4972311D3B5F531F
TrID	48.1% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 15.8% (.EXE) UPX compressed Win32 Executable (27066/9/6) 15.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 3.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika	pebin
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	adrian__luca
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PROFOMAINVOICE.exe

Verdict:

Malicious activity

Analysis date:

2025-03-27 12:58:02 UTC

Tags:

darkcloud upx

Link:

https://app.any.run/tasks/5fbbd5a6-c034-4671-8397-602860bc3742

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e54b59cb6d38a89f3ea480

Tags:

infosteal dropper sharew virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

darkcloud hacktool networm overlay packed packed packed packer_detected stealer visual_basic

Link:

https://www.filescan.io/uploads/67f4e1de2d430c849e0c87cb/reports/eae59a8b-c26b-4dee-9be4-3c3771e807c2/overview

Verdict:

Malicious

Labled as:

Dacic.CDD4E759.A.Generic

Link:

https://www.hybrid-analysis.com/sample/50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/02780f69-a146-4161-8324-583d5bef1dd2

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1659348

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Yara detected DarkCloud

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3/

Threat name:

Win32.Trojan.DarkCloud

Status:

Malicious

First seen:

2025-03-27 06:54:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kd4wywddmfrrofkvatlg7awlzz4pm2fnbw4jcgdp5dlhek2ra3zq._file

Verdict:

malicious

Label(s):

darkcloudstealer

DarkCloud

29a08311df4b9c042dd63aa22583e129877ca0546cc40b6d502c1c9ca1d7075d

DarkCloud

5923afec6760f34abb071e67ec0414a302c9be5428f56e41c78f3cb0dc5fad50

DarkCloud

72befaf78a3dbba7713301082aec374017ac8b968777be10347ce749ce65835d

DarkCloud

7c4a3532a9221b0b33373a5f6565de601db11d3a4d83c2a227582c2db7094af0

DarkCloud

9260c7129dfe3802fc03d7bd51989b28ec80636aa9d22258a1fc29af13323034

DarkCloud

9cea2f9c37fe29d7dca80adc57c2cb5b721a5fb0c6811074a13da634e7b8740b

DarkCloud

e724f805db3ce1e85925362e880fda71c45994b2bb3abfaaf862ddf623b97325

DarkCloud

fd8fff6a5f07a9d3be875b4b4ca47c6682eb439343f53ce5fa357a81ba708056

DarkCloud

+ 625 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery

Link:

https://tria.ge/reports/250408-knbelssly6/

Behaviour

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

stealer darkcloud_stealer Win.Malware.Dacic-10015827-0

YARA:

Windows_Trojan_DarkCloud_9905abce MALWARE_Win_DarkCloud MAL_EXE_DarkCloud_Stealer_Nov_12

Link:

https://app.threat.zone/submission/b5382abd-732a-4132-beaa-064a6fe8afff

Unpacked files

SH256 hash:

50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3

MD5 hash:

083cae5b023fd67488b667c942a4c7d9

SHA1 hash:

060f8e4d67d1e3cdf7d15c84a52f502f869af1ed

Detections:

darkcloudstealer

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

MALWARE_Win_DarkCloud

Link:

https://www.unpac.me/results/217e650b-c88e-48e8-a18f-18e5786e55c3/

Parent samples :

3381a1e8b1a7c8a1de20f09202ed545d3e3c055fd364cb10ce49713e9eb6d087
50f96c5863616317155504d66f82cbce78f668ad0db891186fe8d6722b5106f3

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MALWARE_Win_DarkCloud Create hunting rule
Author:	ditekSHen
Description:	Detects DarkCloud infostealer

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_DarkCloud_9905abce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaCopyBytes MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaExitProc MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaPrintFile

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample