MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263
SHA3-384 hash: f4b6360b146a28f2125f21a27c0961670d0c4a4c5def5f1d28d9a452fc84d58dc4d81ee2f8f66478cad77d1e79db3c43
SHA1 hash: f89d5b07787311ce744916b0ab62a40fe1b958ee
MD5 hash: 9941744e3799d3bb314ca58c72b7447c
humanhash: december-triple-eight-ceiling
File name:scan11062020.doc.zip
Download: download sample
Signature DarkCloud
Create hunting rule
File size:9'324 bytes
First seen:2025-12-10 07:09:20 UTC
Last seen:2025-12-10 07:33:56 UTC
File type: zip
MIME type:application/zip
ssdeep 96:MMGEkiKiMCD0GLsOAc8ZZ6w2rirZzObmpKWnw6Z4RBdN20snREo:VGil012wEidybKBwzN2rnREo
TLSH T17D127EA122DBC454E313C2395F8884357F3826E437061A5E0AF80543852D8BD5E6CEEA
Magika zip
Reporter cocaman
Tags:DarkCloud QUOTATION zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""Fatemeh Mahini"<munir@akkatoglu.com>" (likely spoofed)
Received: "from akkatoglu.com (unknown [172.245.244.82]) "
Date: "09 Dec 2025 22:48:58 +0100"
Subject: "RE: Request for Quotation - Urgent"
Attachment: "scan11062020.doc.zip"

Intelligence

File Origin
# of uploads :
4
# of downloads :
55
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:scan11062020.doc.vbs
File size:1'652'705 bytes
SHA256 hash: 96ffb93ccc5265198ecba5de0bda1a02720381b1ce4c807998f2450696baa2aa
MD5 hash: 40992991002f786cb60c26628b1c43da
MIME type:text/plain
Signature DarkCloud
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/75d38bc3-c9c4-4e82-ae7c-83faa3d3eeda/
Detection(s):
Sanesecurity.Foxhole.JS_Zip_1v.UNOFFICIAL
Create hunting rule

Sanesecurity.Foxhole.Zip_fs662.UNOFFICIAL
Create hunting rule

Sanesecurity.Foxhole.Zip_doc.UNOFFICIAL
Create hunting rule

Sanesecurity.Rogue.0hr.20251209-1932.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.VBS-in-ZIP.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.Dropzip-1.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69390811bde6a3e5970fac2e
Tags:
n/a
Gathering data
Verdict:
Suspicious
Labled as:
Mal/DrodZp
Link:
https://www.hybrid-analysis.com/sample/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263
Verdict:
Malicious
File Type:
zip
First seen:
2025-12-09T15:30:00Z UTC
Last seen:
2025-12-11T04:17:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263/results?tab=lookup
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Zip Archive
Link:
https://app.malva.re/file/9941744e3799d3bb314ca58c72b7447c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 21:13:16 UTC
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfrursmsbgslz3hul3o467bo45yhoug2zgasdx75debzfeeqgjrq._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution spyware stealer
Link:
https://tria.ge/reports/251210-knyvxady4h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Process spawned unexpected child process
Malware Config
C2 Extraction:
https://api.telegram.org/bot7722718716:AAFsEPttL8SmQnIaUjIRYcM4-slXDbVTFJ8/sendMessage?chat_id=7047358023
Dropper Extraction:
http://dn710107.ca.archive.org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 516348c99209a4bcecf45eddcf7c2ee7707750dac98121dffd19039290903263

(this sample)

DarkCloud

Visual Basic Script (vbs) vbs 96ffb93ccc5265198ecba5de0bda1a02720381b1ce4c807998f2450696baa2aa

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 96ffb93ccc5265198ecba5de0bda1a02720381b1ce4c807998f2450696baa2aa
  
Dropping
DarkCloud
  
Dropping
MD5 40992991002f786cb60c26628b1c43da

Comments