MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36
SHA3-384 hash: fd625bb5eadbef53f5c57e8d95c4a37fef5c5fe2523a66654fe6ba8d2d98050d267c0b27027faf7f31d7738eb678e391
SHA1 hash: 99b63b06d865dfc6cde1eb9423a4c50320418a5c
MD5 hash: d264f7901f3200682872190fd7489b7f
humanhash: cola-ohio-gee-thirteen
File name:TRANSFER_REQUEST_FORM.zip
Download: download sample
Signature DarkCloud
Create hunting rule
File size:740'259 bytes
First seen:2023-02-01 08:07:19 UTC
Last seen:2023-02-01 09:01:28 UTC
File type: zip
MIME type:application/zip
ssdeep 12288:wGV6NzVIZjd15iyOE9x5h7xuNVsTztIp4eh/DipBWOinKipbRpv7+p5SlT:wGV6NzVmXiirkV2ztIp4mcWJbplpv6e
TLSH T139F4337AF8632A23A17C629004583646949FA3CC74CC6DE464CB77B4EE47F790CA1D3A
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:DarkCloud payment zip


Avatar
cocaman
Malicious email (T1566.001)
From: ""ACCOUNTS" <accounts@jaychemmarketing.com>" (likely spoofed)
Received: "from jaychemmarketing.com (unknown [193.42.33.246]) "
Date: "31 Jan 2023 07:59:13 -0800"
Subject: "RE: WRONG IBAN/PAYMENT RETURNED"
Attachment: "TRANSFER_REQUEST_FORM.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:TRANSFER_REQUEST_FORM.exe
File size:766'976 bytes
SHA256 hash: a081fc884467fd64301b409573f4309db7487266e68e60eeef5cf5d36b5c8024
MD5 hash: 5f2799730ffccd23611b3419731661f2
MIME type:application/x-dosexec
Signature DarkCloud
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.45756.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.23891.ZipHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63da1de3fcc41339192eff47/reports/0a6afda3-ee81-4da7-b279-2b2d9b0421d9/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-01-31 15:45:18 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbrvdticpk7esye57qtcwb6vpsg3cm4rbbtzin4exnwcpmveri3a._file
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230201-kvfmxaee3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 586351cd027abe49609dfc262b07d57c8db133910867943784bb6c27b2a48a36

(this sample)

DarkCloud

Executable exe a081fc884467fd64301b409573f4309db7487266e68e60eeef5cf5d36b5c8024

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a081fc884467fd64301b409573f4309db7487266e68e60eeef5cf5d36b5c8024
  
Dropping
MD5 5f2799730ffccd23611b3419731661f2

Comments