MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkCloud

Vendor detections: 18

Intelligence 18 IOCs YARA 3 File information Comments

SHA256 hash:	6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21
SHA3-384 hash:	6929c08f3eb69307d989a3e4972c5713c22e5b2b7bbec4a21a579a4fd58362cacf573df4616347c5c59866eab2cb7b76
SHA1 hash:	1f60d2dade7a732fc83077f347a1df297609fc54
MD5 hash:	4c4d1aeab54cfc4e58f9190812fa7dac
humanhash:	bluebird-lake-jersey-cat
File name:	Pago de factura n 657687544.exe
Download:	download sample
Signature	DarkCloud Create hunting rule
File size:	1'242'624 bytes
First seen:	2026-03-16 12:46:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'774 x Formbook, 12'297 x SnakeKeylogger)
ssdeep	12288:CKdH37Pl9/0JSyLqgRSuZyOfP0ZLZ5W+vB5vknCws2HmTQ6kTzwYe2AXL0hmyzcE:H53P/0J7hsu25UHmTQ7TMYeh6x1KObJ
Threatray	4 similar samples on MalwareBazaar
TLSH	T13245E0156EC31A64D5954F74D2A600A837F0C65B2207E76F2FED02F0EEA7B4ECD0A492
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	DarkCloud exe

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

DeepSea Hectobmp

Details

DeepSea

DeepSea decrypted strings

Link:

https://research.acce.ciphertechsolutions.com/results/a9ee2aad-70aa-4048-b880-33bd9a15abdd/

Malware family:

n/a

ID:

File name:

Pago de factura n 657687544.exe

Verdict:

Malicious activity

Analysis date:

2026-03-16 12:49:28 UTC

Tags:

netreactor evasion stealer darkcloud auto-reg

Link:

https://app.any.run/tasks/41fbfefc-2511-451f-ae0e-f5b3ee8b1f76

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/57637/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b7fbd488c80c01586ac2a5

Tags:

virus remo msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypt formbook masquerade obfuscated obfuscated stealer vbnet

Link:

https://www.filescan.io/uploads/69b7fbd22000fc76c3e2437f/reports/ba328923-68cb-459a-89ab-9690cb2ec8b9/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b HEUR:Trojan-PSW.MSIL.Stealerium.gen HackTool.ReconScan.TCP.ServerRequest

Link:

https://opentip.kaspersky.com/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21/results?tab=lookup

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df3e1034-6f21-4187-a835-a4f173c76826

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/4c4d1aeab54cfc4e58f9190812fa7dac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21/

Verdict:

Malicious

Threat:

Family.DARKCLOUD

Link:

https://tip.neiki.dev/file/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2026-03-13 04:57:57 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mfr2witrhxdrsu3drtj7zqkmnmkcvcflqqwffdwol2s7fzn6tyqq._file

Verdict:

malicious

Label(s):

darkcloudstealer

DarkCloud

a9070022b1d28df7c94f12f8c025366cab612baba8c6424257d8feb805b0d182

DarkCloud

error

DarkCloud

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/260316-p1aq3aaw3p/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

.NET Reactor proctector

Executes dropped EXE

Unpacked files

SH256 hash:

6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21

MD5 hash:

4c4d1aeab54cfc4e58f9190812fa7dac

SHA1 hash:

1f60d2dade7a732fc83077f347a1df297609fc54

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

SH256 hash:

01de14500848d65145b3b4256272b75d3d37434be8032ea02ed78f0209701ab4

MD5 hash:

c2733b54ef9643d7f9d4359373a86ad3

SHA1 hash:

31ab81aa9c60f8d7a8589fae41ab46d403d08554

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

Parent samples :

6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21
e2c51f1733baf02b7de6cf095989a30167375c04e0b5a4c70fe0c4f9f1585c01
9b4bda03a4885230b39a788cbd733412c498ec36393581b2bf5b060844d8b1f4

SH256 hash:

18bf646fad26a0aa1264cac867789c6d9f4de762bc83b9aeeff0f8d8d48ee6ac

MD5 hash:

4faf9d90e22fe6f5452ab806bb763ed7

SHA1 hash:

564455391f73d9d8f3baf3b907dfb9723f249820

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

SH256 hash:

97e45ae23cff023b4385c71e840ceb4324debf520392986259b17c4bc02ad570

MD5 hash:

ff230a831995109ecdfe7ffcce11a39b

SHA1 hash:

649c6485a02cc10627bbaea866f54ac190f9d404

Detections:

darkcloudstealer

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MALWARE_Win_A310Logger

MALWARE_Win_DarkCloud

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

SH256 hash:

69b83d39655ef00f775e5bc22b91874d629e68319550000343c581318fbe6fd4

MD5 hash:

b02d83e8ecf71c6399a3b3be638fb93b

SHA1 hash:

dfaff9ecb5aeab521334bf05aa7832d3d9af9451

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/041355c0-2aa1-4a18-9e7d-4466cb9aba0f/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6163ab22713d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6163ab22713dc71953638cd3fcc14c6b142a88ab842c528ece5ea5f2e5be9e21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57637/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample