MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58
SHA3-384 hash: 848ec25df8926571475062988f1500723570b8c61b57564b518e126c935a2fb2c9443f85661a50da625d66b2f76b6d4e
SHA1 hash: 397d180660d9248d161a59a5ac37be87db1e0924
MD5 hash: 09369fa77303d3c89cc4e64886d52337
humanhash: hot-ten-maine-avocado
File name:Ziraat Bankası Swift Mesajı (8).exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:980'992 bytes
First seen:2023-04-14 10:27:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Jr1vqhgDMNJMGSB6NFFDtQ7M6To4wErBJosZMOPBtaCqq:Jr1vvMLzNvxQ7hBJo6i
Threatray 163 similar samples on MalwareBazaar
TLSH T1B525DF8637708632F4AE42B8904536C91B7CB10731D5F1266F6B3AE15221BBBF65CE93
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud exe geo Telegram TUR ZiraatBank

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankası Swift Mesajı (8).exe
Verdict:
No threats detected
Analysis date:
2023-04-14 10:30:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6ed66282-f9fb-453b-abb2-c7569db0ac21

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382247/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64392ab5f4a1f6ede14ec1ed/reports/c89114a0-cfdf-4026-840b-8b82dbba09b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c571fc8-48cf-4c99-ac68-c2995edd365f
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213861
Signature
Contain functionality to detect virtual machines
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846791 Sample: Ziraat_Bankas#U0131_Swift_M... Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Yara detected DarkCloud 2->35 37 3 other signatures 2->37 7 fireboard.exe 3 2->7         started        10 Ziraat_Bankas#U0131_Swift_Mesaj#U0131_(8).exe 3 2->10         started        13 fireboard.exe 2 2->13         started        process3 file4 39 Machine Learning detection for dropped file 7->39 41 Contain functionality to detect virtual machines 7->41 43 Writes or reads registry keys via WMI 7->43 15 fireboard.exe 3 7->15         started        29 Ziraat_Bankas#U013...j#U0131_(8).exe.log, ASCII 10->29 dropped 18 Ziraat_Bankas#U0131_Swift_Mesaj#U0131_(8).exe 1 5 10->18         started        21 MpCmdRun.exe 1 10->21         started        23 fireboard.exe 1 13->23         started        signatures5 process6 file7 45 Tries to harvest and steal browser information (history, passwords, etc) 15->45 47 Tries to steal Crypto Currency Wallets 15->47 27 C:\Users\user\AppData\...\fireboard.exe, PE32 18->27 dropped 25 conhost.exe 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 09:15:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmd4so3u37rlsws2qurpj4yqnkiwoxy5udc7jjhopzkajmo37vma._file
Verdict:
malicious
Similar samples:
0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a
DarkCloud
26f7c2a6ed82ed4f46ad1bde0caa72058fedddc006d534b17b42c1528dbfa720
DarkCloud
46aa53a2f735bd16868e0d14cb07a54da59025c3a883146c49dc8cb9328c5f4f
DarkCloud
67987af9c454a2d990d14f53a2fe1763447e58ed1a5d6deec4d41f258ff6772d
DarkCloud
8471e4241857b78c135a6e0b5b218ede15f8d07afa8c8a2036332f1b77dbff17
DarkCloud
9393fc39e126ce3c9fc4adf039f6691f0943e7b1c77d2d4dbb5dc0865a45a267
DarkCloud
bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
DarkCloud
cd465f7792e59bbed490c66d9c3d47a5da49abe8839aa21810b3844ecbc5863c
DarkCloud
ce33f260e52f5ea18962a5993e4275c41f527004b57ccc48d518b4ad3b310850
DarkCloud
ffe8625be597b053616f946809e0bb323a076a044212d8ab8b571b46c02c81c4
DarkCloud
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-mhnh4ahe42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
cb632c3fa096fa15b6d5f80a02d69d57b948bd18ce4e2fe3ded81b3361778335
MD5 hash:
cf8c391b5ed64dfab87946b6d839259e
SHA1 hash:
f32c6d6b0393aa9673402e1e24493510d8e8d8a0
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
bbb6911458dcd230f77d5cf9cff399c608e29a18654fe06c68d97973cc073ac8
MD5 hash:
a8bd6d107a972874ae8a823b8ce07301
SHA1 hash:
d622e3134b3654424207dd634d9da99174a9acbf
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
e7b0530ee69e1d400c33a62b00fd002db7ab7daae35f3579461ab1e9d6b53f70
MD5 hash:
4486068732d0a5c37f8f9e57610931f4
SHA1 hash:
8068c39e5ad162da404d5088ccfa12ceef3344cd
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
SH256 hash:
5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58
MD5 hash:
09369fa77303d3c89cc4e64886d52337
SHA1 hash:
397d180660d9248d161a59a5ac37be87db1e0924
Link:
https://www.unpac.me/results/5a5cf447-8cd1-4c50-9f9a-f76ccf071373/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 5b07c93b74dfe2b95a5a8522f4f3106a91675f1da0c5f4a4ee7e5404b1dbfd58

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382247/

Comments