MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042
SHA3-384 hash: 5a4eed348625c408902d2d7236be17cb6789ca7e372e997777989d3e409b775e3c46712985b58c0bb382635088a76e72
SHA1 hash: 9d53f824cd40413d551f04fdf14bae782e1a41e8
MD5 hash: f07b59eb2e079540ea519fdf9f03519c
humanhash: enemy-finch-wisconsin-september
File name:file
Download: download sample
Signature DarkCloud
Create hunting rule
File size:393'216 bytes
First seen:2025-03-13 15:23:01 UTC
Last seen:2025-03-19 13:09:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc9cf63b0ad8c5564dca39f1bb53e81e (1 x DarkCloud)
ssdeep 6144:v1ZUqVGUrknevjrT2pQuoQzjZMyyF+atD2698d1/w5KA81IJ8GpF6nuTmOOU:v1ZUqHrknevjraLoqVMyyX4jjYKkJj6e
TLSH T11A845B2BF600742AF873C6B5A5E4A25BA8152DB61A80EC2BF3815F0936351D7B5F131F
TrID 48.1% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
15.8% (.EXE) UPX compressed Win32 Executable (27066/9/6)
15.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
3.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter jstrosch
Tags:176-65-144-3 DarkCloud exe


Avatar
jstrosch
Found at hxxp://176.65.144[.]3/dev/fireballs.exe by #subcrawl

Intelligence

File Origin
# of uploads :
3
# of downloads :
288
Origin country :
CA CA
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d3054708116ce42570d16a
Tags:
infosteal networm sharew virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Gathering data
Verdict:
Malicious
Labled as:
Dacic.CDD4E759.A.Generic
Link:
https://www.hybrid-analysis.com/sample/69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a37c59b7-cba1-45f1-931d-16185a46a545
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1637435
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042/
Threat name:
Win32.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-03-10 17:57:18 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngksmf5diqjqnteen2vc32bafty7i33ytnltefetgorudti4cbba._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
error
DarkCloud
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery
Link:
https://tria.ge/reports/250313-ssjwjswsg1/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Malware Config
C2 Extraction:
https://api.telegram.org/bot6107929879:AAHV6JwXs7rcYzMGLe3_opR5_gdKAC16Ye4/sendMessage?chat_id=6311012313
Verdict:
Malicious
Tags:
stealer darkcloud_stealer Win.Malware.Dacic-10015827-0
YARA:
Windows_Trojan_DarkCloud_9905abce MALWARE_Win_DarkCloud MAL_EXE_DarkCloud_Stealer_Nov_12
Link:
https://app.threat.zone/submission/374fa769-dbc6-4d6a-83dd-cd4f123634ef
Unpacked files
SH256 hash:
69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042
MD5 hash:
f07b59eb2e079540ea519fdf9f03519c
SHA1 hash:
9d53f824cd40413d551f04fdf14bae782e1a41e8
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/9c8e7d91-81f7-440e-b259-706862412b42/
Parent samples :
a247965461e20da5cf0f7a31daeae7fed5eb49c4a19af705f33b8c25f6230d3d
4a5e7f2feba177284ebd54070f92fa7f334897368100c07e4f521865fcfb468f
a23430fb24ff7cf5506c58a46a33a1572a5c724fd9b4e0e88228584f6ec6001e
c979cdb1c5a3987d61e1e90e14e969a3d9dad1aa554c5e2d66b3ac36b2e0953d
69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042
c11b31c8f76bfff41a21e06c40185abd8256ae50af245e8dd35bf9787b0868e0
9b9c1674fcfcb27a77923ab0926d6d879004fedfd38fc5611e05c964e8c93a8e
SH256 hash:
404a106f0b4a57d9d22746ef37e59c7ba47946836dbe5b0723f7ce20fdcc8857
MD5 hash:
82349cf0adea6e087cfba9f38d4dba02
SHA1 hash:
2c2a13aadbb098950082630d995b71b490c96412
Link:
https://www.unpac.me/results/9c8e7d91-81f7-440e-b259-706862412b42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkCloud

Executable exe 69952617a3441306cc846eaa2de8202cf1f46f789b5732149333a341cd1c1042

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3474962/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaCopyBytes
MSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaPrintFile

Comments