MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
SHA3-384 hash: a7b65fff7ec822d8e3c6b320f46b4d1e535a1218b6ab1afd695736b394b1406b26e51fd64f0724aedcc1c87798ff4f8d
SHA1 hash: 195800c5e6a9dea59d3d29f4841bd81346d015c3
MD5 hash: 61b30297e49629ede1caf19c61181cc8
humanhash: saturn-november-rugby-fourteen
File name:FACTURA_.EXE
Download: download sample
Signature DarkCloud
Create hunting rule
File size:836'608 bytes
First seen:2023-07-18 06:59:45 UTC
Last seen:2023-07-18 07:05:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:hfzW/ZbrZuuu/Yq/QQ0aDKQwLjyOGDWzkS0Nl:Ra/1rsL/jQYuLLjyOGDMN
Threatray 530 similar samples on MalwareBazaar
TLSH T18D052391F29E961BC5D12AF877E4E72653704F8040B6C08C4F2CFCDBB6CA95587226A7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
298
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA_.EXE
Verdict:
Malicious activity
Analysis date:
2023-07-18 07:02:57 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/b86f34b2-a5d7-4431-920c-9ae97b03c4f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423273/
Detection(s):
Sanesecurity.Rogue.0hr.20230718-0138.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64b63874a09960069744f95f/reports/3c618d5a-ab97-4263-89e7-3adb6a5f73f5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d043f54-ac99-4e5c-a477-5448745d5507
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1274904
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 16:46:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwzbdtesfoo5nvfzb6j5xwnhzmazdk4oalgtt7qfrtljvnh7alaq._file
Verdict:
malicious
Similar samples:
2150f0caeac604ff6b396c3cf863dab727dca9b3c996a7a2aa7e5ea78d0bdae3
DarkCloud
36d0c8e58fabe82307b7b36444e075f5dccd1a57e7b73551d335f76645b11274
DarkCloud
37d9d25dc72449f4bbdf92bf70511684bd3819f8306f363eb1cfd6fd0e91e365
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
547cd0ab1f4369a1f7e6477acf6a1440ff44ed8f8839a77a0317cb96f7dd088b
DarkCloud
54cd2e3e00d7370c6064ac4a49494694df623ff169a1aa6eb8759f55bae2f758
DarkCloud
89787eecba81c6d44901dcc74adc393548414b4e1c7f642f0fbe4a9ccfba039a
DarkCloud
8a0c61f29aa2697e44a61977bc06c3cf4c2bd8228ebc0fa00ac057b7375ff2ed
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
+ 520 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230718-hsm8vshe9s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot6201772437:AAE8z2HCV4dlViF8O7_bVozdyvuR6EkBCPA/sendMessage?chat_id=1909112828
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
SH256 hash:
c1796a8cf6be4b31342d3ba730ee278132be920a0b0946531edfd5d3ab2415ef
MD5 hash:
594173a93a04d2b9ed53ee505a9d418b
SHA1 hash:
f2c5e775bf98475700c428dd92c2d25ee330e96b
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
SH256 hash:
394b5507dddd8151d944db8db8e9dd7857c62aecd21d0a700c8db57120db4c06
MD5 hash:
da28c284b5110506d152a9e70d877232
SHA1 hash:
5e17f5d853d07c274a82e5399e46419bb81dc7e0
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
Parent samples :
5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
9709b89b130bc2a8b0f8aaf832705d093760bf811698cfe3cc40ff1751bef020
ee6a1171d804498d93b3877e1649a3f0075ffad676875c875e4778823323692e
SH256 hash:
dd3c7c45b6efdb383715581e41dad65f5a9afa55c3f0d90c20707dee1e7253af
MD5 hash:
a693bd49992e3fc9146b60126a28243e
SHA1 hash:
3d38b40a926359995fbf41aa81cabd51095e8b61
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
SH256 hash:
5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1
MD5 hash:
61b30297e49629ede1caf19c61181cc8
SHA1 hash:
195800c5e6a9dea59d3d29f4841bd81346d015c3
Link:
https://www.unpac.me/results/34d9e024-75c7-42ab-a338-743882d68198/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5db211cc922b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

img db14271dcd74f1839612cbb0f040e997310696f91efd6f7e4abde11471f4a3e9

DarkCloud

Executable exe 5db211cc922b9dd6d4b90f93dbd9a7cb0191ab8e02cd39fe058cd69ab4ff02c1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 db14271dcd74f1839612cbb0f040e997310696f91efd6f7e4abde11471f4a3e9
Cape
Cape
https://www.capesandbox.com/analysis/423273/
  
Dropped by
SHA256 88a6501cd30a7b4d8e78311dd8d5f1ac4849bb92b25a17b8450e45d33f3f6828
  
Dropped by
MD5 414b462ee07a7308d79183380bc5a174
  
Dropped by
MD5 021c932abcc285e8c090b9da98f31d6f

Comments