MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b
SHA3-384 hash:	6c0063485d434834c1c6c64da239ec0e1b5ac6bd85c9d478737a0d3192743b453a223c63362a88c3a40cb517d387747a
SHA1 hash:	ded52a7f97da681f5f2a36392bd2ae88445fdc6e
MD5 hash:	ecfe245fe1b78fff84ba32432734f321
humanhash:	papa-friend-colorado-mirror
File name:	PO.exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	938'496 bytes
First seen:	2023-04-18 13:05:03 UTC
Last seen:	2023-04-20 07:52:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:b+tjOIyec5mTp4uNIgU0KKlpp4m32jt49T7i:bmHplWkIT0t4kMt4t
Threatray	238 similar samples on MalwareBazaar
TLSH	T17D150219A135DFB2E9AE0BB5001422D8DB7166E33477C23C4FD2B4CAEBAE7151E84587
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO.exe

Verdict:

Suspicious activity

Analysis date:

2023-04-18 13:07:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6e865617-050d-46d9-958a-c6a8e93754a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/383029/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Sanesecurity.Rogue.0hr.20230418-1032.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/643e9581b197bbdcf7dc4951/reports/587d806a-c878-46fd-a1b7-b1fc017099af/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad5cbad8-b86a-4b6b-90b9-0e0c16f05df9

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1215966

Signature

.NET source code contains potential unpacker

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes or reads registry keys via WMI

Yara detected DarkCloud

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ljmsxck2fvtbxbh6krlsftiby7xmbgmllsjoipf42wbheps5bv5q._file

Verdict:

malicious

DarkCloud

2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de

DarkCloud

3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580

DarkCloud

3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520

DarkCloud

702cee46d4f13081bcca06cfe54412f0e9115a48035d440911fae79ea0100ae6

DarkCloud

80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d

DarkCloud

8943593e7957a1ec506da8328e3b1fbe8447e6daf23992e007756ba79a13c095

DarkCloud

8c3a54283aca092b244c89ebb641bb372808b3e51b752936dfbea95dc32eeb95

DarkCloud

a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93

DarkCloud

d298c16cc5f3bc92be81294b9d7b4b23d1be22742956b824dac7dc109dde7e35

DarkCloud

+ 228 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud stealer

Link:

https://tria.ge/reports/230418-qbj4wabe55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

DarkCloud

Malware Config

C2 Extraction:

https://api.telegram.org/bot6267068129:AAE4AO_gQGAeEakYl26r7KthrUjdWAdy5c0/sendMessage?chat_id=1909112828

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

d4e3244b2d5c47593b02779c39d545d58d206ae08e9fc35885a253503ab57ae4

MD5 hash:

d6da5dd26a036205852a5f57eb774a62

SHA1 hash:

ed2ab673a0f90ddfca7970c001e7ff6e36f192dc

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

359aeca1f42cefe91537901639e46e41264886959136bf3272ca5bfccd3bebc7

MD5 hash:

471ec64ff851890ae7ab5be819bc37b1

SHA1 hash:

707021eca696715a3a3a9b194b762f9f8e31dcab

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

980ee731be942cf243cc953bc858bdb38e213ee4ae2614c1a87bbf29e87bd71f

MD5 hash:

c3edbea3c110c61735d2d62f547816ef

SHA1 hash:

0469f68b1917e14714d471564360c5949894b69e

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

698efbaf29ad1c5a3d1db7008beedcc08561ac27467188e2fd8c212085326c66

MD5 hash:

d5fbbb438371b82c274fc7e82828db8b

SHA1 hash:

032b764ef5b3eaed11fadcd726d27fc05264fca2

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

SH256 hash:

5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b

MD5 hash:

ecfe245fe1b78fff84ba32432734f321

SHA1 hash:

ded52a7f97da681f5f2a36392bd2ae88445fdc6e

Link:

https://www.unpac.me/results/7f392103-219b-412e-b017-2c90bc8c9226/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a592b895a2d661b84fe545722cd01c7eec0998b5c92e43cbcd582723e5d0d7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.