MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8
SHA3-384 hash: 2bf9c2e4b810c414b8ac7d1c09463c127ca3bc716c233fee2206ebb4f4efe912ae4635aec841452f38804d022ee46b2e
SHA1 hash: 4a108d7b8ae3c463eaf5dabb74408ff7dc816b60
MD5 hash: 3d052e45984887167cee3ea93f0c7d8b
humanhash: march-delta-red-london
File name:DOC499489399YTTY.vbs
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'006 bytes
First seen:2024-04-16 15:32:01 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:BVewn54qdptQDuQlJYYKWuQFqhjDiFlLnLW:LHn54qnSJYYTBW
TLSH T11B11AB1E18B8F369C88BF1E9F56F02127D845B5F94849426041C165B2274BEC8A2E7E7
Reporter abuse_ch
Tags:DarkCloud vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin packed shell32
Link:
https://www.filescan.io/uploads/661e99fb75339da04f935ee4/reports/d6de4c30-1703-4e46-817f-3729cda6a137/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8
Result
Verdict:
MALICIOUS
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426841
Signature
Binary is likely a compiled AutoIt script file
Clears Internet Explorer cache and cookies (likely to cover tracks)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample uses string decryption to hide its real strings
Sigma detected: Network Connection Initiated By IMEWDBLD.EXE
Sigma detected: rundll32 run dll from internet
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426841 Sample: DOC499489399YTTY.vbs Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 56 dsaq.shop 2->56 60 Snort IDS alert for network traffic 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 7 other signatures 2->66 12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 78 VBScript performs obfuscated calls to suspicious functions 12->78 80 Obfuscated command line found 12->80 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->82 84 Suspicious execution chain found 12->84 15 cmd.exe 2 12->15         started        process6 file7 54 C:\Users\user\AppData\...\sK4yW8j1dG9Yxp.baT, ASCII 15->54 dropped 18 conhost.exe 15->18         started        20 IMEWDBLD.EXE 14 15->20         started        24 rundll32.exe 44 15->24         started        27 4 other processes 15->27 process8 dnsIp9 29 ofile4162024[1].exe 4 18->29         started        58 dsaq.shop 172.67.219.11, 49718, 80 CLOUDFLARENETUS United States 20->58 52 C:\Users\user\AppData\...\ofile4162024[1].exe, PE32 20->52 dropped 68 Clears Internet Explorer cache and cookies (likely to cover tracks) 24->68 32 rundll32.exe 9 46 24->32         started        34 taskkill.exe 1 27->34         started        36 conhost.exe 27->36         started        38 DeviceCredentialDeployment.exe 1 27->38         started        40 timeout.exe 1 27->40         started        file10 signatures11 process12 signatures13 86 Multi AV Scanner detection for dropped file 29->86 88 Binary is likely a compiled AutoIt script file 29->88 90 Machine Learning detection for dropped file 29->90 42 ofile4162024[1].exe 2 29->42         started        45 svchost.exe 29->45         started        process14 signatures15 70 Binary is likely a compiled AutoIt script file 42->70 72 Writes to foreign memory regions 42->72 74 Maps a DLL or memory area into another process 42->74 47 svchost.exe 5 42->47         started        76 Writes or reads registry keys via WMI 45->76 process16 signatures17 92 Tries to harvest and steal browser information (history, passwords, etc) 47->92 50 WmiPrvSE.exe 47->50         started        process18
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8/
Threat name:
Win32.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-04-16 12:44:55 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m5bnii2ldbpfy3nqunfrootmi3k23f4gbcpu6cournka32en27ea._file
Verdict:
malicious
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/240416-sylx4afb91/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
DarkCloud
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6742d4234b185e5c6db0a34b173a6c46d5ad9786089f4f09d48b540de88dd7c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments