MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9
SHA3-384 hash: 0953f94e9ef32f464a67d6428363bc2375dafd4db75088e3ba045e5cce12d5622688ed79f3948e1c5c55ae3169bbe81b
SHA1 hash: de1261dea7d3d3a0b075dc8b04ae1c9268e449ce
MD5 hash: 3a11f5f7dcb6e3dd51ef7a864c29403f
humanhash: papa-alabama-wisconsin-orange
File name:3a11f5f7dcb6e3dd51ef7a864c29403f
Download: download sample
Signature DarkCloud
Create hunting rule
File size:419'799 bytes
First seen:2023-07-18 06:16:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa6Nocp5OR8tmQz0lS9+kT15f2h1s8MAP0U0wiBy5J3yO9kX46Nt/E2ViAjKBLx:vY3vp5OM5EOf2UlTUh7R9vYt/lN2BbGY
Threatray 41 similar samples on MalwareBazaar
TLSH T196942338B3D480D7E1E3BB315B38952AA9BB990215F4478B77904A1E36D7E53C60E363
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a11f5f7dcb6e3dd51ef7a864c29403f
Verdict:
Malicious activity
Analysis date:
2023-07-18 06:25:05 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/a971f766-2d58-41b8-9bb0-b4193222c58a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423209/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.15922.5850.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64b62e60f3c193545ac62f23/reports/2d19ebd4-c0e8-4c3c-a000-c64b8e790870/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04defeda-2d49-4ad0-a925-ae40f42dd2ea
Result
Threat name:
DarkCloud, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274864
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Generic Dropper
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274864 Sample: Co89QKn4ue.exe Startdate: 18/07/2023 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Antivirus detection for dropped file 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 6 other signatures 2->39 6 semiclause.exe 18 2->6         started        10 Co89QKn4ue.exe 18 2->10         started        12 semiclause.exe 18 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\jdmet.dll, PE32 6->25 dropped 43 Multi AV Scanner detection for dropped file 6->43 45 Detected unpacking (changes PE section rights) 6->45 47 Detected unpacking (overwrites its own PE header) 6->47 55 2 other signatures 6->55 14 semiclause.exe 15 6->14         started        27 C:\Users\user\AppData\Local\...\jdmet.dll, PE32 10->27 dropped 49 May check the online IP address of the machine 10->49 51 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->51 53 Maps a DLL or memory area into another process 10->53 17 Co89QKn4ue.exe 1 17 10->17         started        29 C:\Users\user\AppData\Local\...\jdmet.dll, PE32 12->29 dropped 20 semiclause.exe 15 12->20         started        signatures5 process6 dnsIp7 31 showip.net 162.55.60.2, 49692, 49693, 49697 ACPCA United States 17->31 23 C:\Users\user\AppData\...\semiclause.exe, PE32 17->23 dropped 41 Tries to harvest and steal browser information (history, passwords, etc) 20->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 17:10:43 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfiznjkis6gphvbpxqhdzuqduwajo4tczoxazfx2rqasrx2nsh4q._file
Verdict:
malicious
Similar samples:
081d698ce05d76d8762d9f725143095a0c3ee39a663c08e4523e951dfab93507
DarkCloud
1f86f42e9b3f949288c425fb5e3a57a6977a0c529e129a84a9c1935e4a2a2482
DarkCloud
2150f0caeac604ff6b396c3cf863dab727dca9b3c996a7a2aa7e5ea78d0bdae3
DarkCloud
36d0c8e58fabe82307b7b36444e075f5dccd1a57e7b73551d335f76645b11274
DarkCloud
42ef434d4f2fbb1d7dcc088b49c7fd18b15a5cc6871d3b03126071f2981de33f
DarkCloud
43b0616d8f71811739454e94f8a91e47dfd51e0d30a38c7a90f78feb6b177556
DarkCloud
6923fdc205daf214ddfdcfc83f398da7646f48d4c3e432b7df373a2d2f5ba1ba
DarkCloud
9e344f8b66654ed20bf36cfd5c2e0d7108b26a3eeab566ee261b64a495ddc8b3
DarkCloud
a345d0b822b2ef2baffe88fc7084aa72e4bc90444337cd5bf7b828a94dbe805e
DarkCloud
b99842b985a6f2f3f6143250917607ccef271d03b631331fa498d7a2b1caa7a1
DarkCloud
+ 31 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230718-g1191shd4t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/82fd414b-69ad-407e-8dba-16ce9cbf3e60/
SH256 hash:
a18267ff63739eb37c22606f12e19c5b450749b60c790019bfa426688330ddfe
MD5 hash:
dc2962db00e129f0bb4b04d2de4b221d
SHA1 hash:
c360f03562a2fab293d7e0ee00599ce46ffe421b
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/82fd414b-69ad-407e-8dba-16ce9cbf3e60/
SH256 hash:
1cd0d74c60512c39448aa9a81111e05b0a72d1d13c1eecccefd694158e1454b5
MD5 hash:
a37edff65f771c8f02502253232d0a4c
SHA1 hash:
e4b4303f92edf8e4d5583e39ecd7c63fda89762a
Link:
https://www.unpac.me/results/82fd414b-69ad-407e-8dba-16ce9cbf3e60/
SH256 hash:
695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9
MD5 hash:
3a11f5f7dcb6e3dd51ef7a864c29403f
SHA1 hash:
de1261dea7d3d3a0b075dc8b04ae1c9268e449ce
Link:
https://www.unpac.me/results/82fd414b-69ad-407e-8dba-16ce9cbf3e60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 695196a548978cf3d42fbc0e3cd203a580977262cbae0c96fa8c0128df4d91f9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2684915/
Cape
Cape
https://www.capesandbox.com/analysis/423209/

Comments


Avatar
zbet commented on 2023-07-18 06:16:59 UTC

url : hxxp://107.175.202.150/55/win32.exe