MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943
SHA3-384 hash: 5dffed5761c08a77933a07990c69aaf186e0648377d669ab04f4b4cb981adacdd3210d78355686e3f71b6599a153136c
SHA1 hash: bbe7a39f01333346c8e3bcfbf73e4c484a3bc2cd
MD5 hash: 66cc22ed167cdaef60b10efd54949ff6
humanhash: asparagus-timing-gee-princess
File name:SecuriteInfo.com.Gen.Variant.Fragtor.325313.9099.20664
Download: download sample
Signature DarkCloud
Create hunting rule
File size:344'811 bytes
First seen:2023-07-21 01:28:56 UTC
Last seen:2023-07-21 06:23:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6D86Y0vp4i0viRcFiU+0/WHT22FtdJ9KGTV:/YpThvOi0OcFiUdeHa27dXV
Threatray 1'501 similar samples on MalwareBazaar
TLSH T136741305F7F0D467F8F956300A7F9E262EA187276D8AD30F174156AA71136824F1B33A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Fragtor.325313.9099.20664
Verdict:
Malicious activity
Analysis date:
2023-07-21 01:30:40 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/a6cbb969-492c-46ba-a13e-7b869f1ef37a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/427252/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Gen.Variant.Fragtor.325313.4600.8258.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/064f0465-d566-4f6e-8f20-7dffe6d2a4f3
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1277136
Signature
Creates multiple autostart registry keys
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277136 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 21/07/2023 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 6 SecuriteInfo.com.Gen.Variant.Fragtor.325313.9099.20664.exe 1 20 2->6         started        10 jrnwgcl.exe 18 2->10         started        12 firebed.exe 2->12         started        14 2 other processes 2->14 process3 file4 31 C:\Users\user\AppData\Roaming\...\jrnwgcl.exe, PE32 6->31 dropped 33 C:\Users\user\AppData\Local\...\xixaugr.dll, PE32 6->33 dropped 61 May check the online IP address of the machine 6->61 63 Creates multiple autostart registry keys 6->63 65 Maps a DLL or memory area into another process 6->65 16 SecuriteInfo.com.Gen.Variant.Fragtor.325313.9099.20664.exe 2 50 6->16         started        35 C:\Users\user\AppData\Local\...\xixaugr.dll, PE32 10->35 dropped 67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 71 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 10->71 21 jrnwgcl.exe 45 10->21         started        37 C:\Users\user\AppData\Local\...\xixaugr.dll, PE32 12->37 dropped 73 Writes or reads registry keys via WMI 12->73 23 firebed.exe 12->23         started        39 C:\Users\user\AppData\Local\...\xixaugr.dll, PE32 14->39 dropped 41 C:\Users\user\AppData\Local\...\xixaugr.dll, PE32 14->41 dropped 25 firebed.exe 14->25         started        27 jrnwgcl.exe 14->27         started        signatures5 process6 dnsIp7 43 mail.kbakr.com 162.241.27.28, 465, 49696, 49700 UNIFIEDLAYER-AS-1US United States 16->43 45 showip.net 162.55.60.2, 49695, 49698, 49699 ACPCA United States 16->45 29 C:\Users\user\AppData\Roaming\...\firebed.exe, PE32 16->29 dropped 57 Creates multiple autostart registry keys 16->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 47 192.168.2.1 unknown unknown 27->47 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-20 23:10:16 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pd55ils3rlbwbehbozolq3sxhjgy6lb6dnrttq7aqe2d45ewpfbq._file
Verdict:
malicious
Similar samples:
165a4a13cc076a6cf2a41f4b6bb1d2336033d9976d0abb8f02e941eb64a6f963
DarkCloud
46eeb436a29d74d779e09058eb574f83903c09c31706791288842640ddd94052
DarkCloud
47c3e044af3684dfa7d4d7885d9452358620d9e98c25fffe0d0c82c9f72fbf08
DarkCloud
64f7160a149eb98340872f6bba7149c4b654cff413acced11d4c7ee14f3a7ad5
DarkCloud
921c9c101860c14da3e87b47b03dbb367802578a19d80ac53f2c57fc1d0eb61c
DarkCloud
a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f
DarkCloud
ab0646fd7bf8dece42e0c38e843fbe4cbb9c18e0e98cb26cad14357fde20ed4a
DarkCloud
b4e26693eb622dcf2a71d961a2dc62c74feb7b253b1cfba3168e89b987572831
DarkCloud
d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf
DarkCloud
e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f
DarkCloud
+ 1'491 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer upx
Link:
https://tria.ge/reports/230721-bv8t1scb7s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
UPX packed file
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/99a64c7b-3c2d-41bd-a188-b63da243e1ae/
SH256 hash:
9da25fc61659c8fe78869836030657382964ec267847a690d28e2ace56b981fc
MD5 hash:
b16a148106ba56439348757570de369b
SHA1 hash:
af0ef81c56076c8e8e1b0d3b483cc8305fb447b8
Detections:
darkcloudstealer_loader
Create hunting rule
Link:
https://www.unpac.me/results/99a64c7b-3c2d-41bd-a188-b63da243e1ae/
Parent samples :
0093f1637be7794e00ec4fef75295dead87dabc6783c99d5fabbf7c24a275ff6
e43d1424c912e7c255bba16e116d51d856c4c2c5ea103fe5ea21f6077e72c9c2
d46f7e127f48d7fc3d018fd53e2c7d473c6c54d1f3e2cabec145becbd247a717
78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943
SH256 hash:
09b3326ae4089e654c2e46fbbe079338c3b1ae1b5795cc37121f5c488eb48d86
MD5 hash:
ac3c4aae5430365988590c6ce243b7a2
SHA1 hash:
b7657b980c85cfc0391dcca758756ff1eb66208f
Link:
https://www.unpac.me/results/99a64c7b-3c2d-41bd-a188-b63da243e1ae/
SH256 hash:
9e7731d5cbdd2e9f9c3add54e43eda6a82d782288bf5e9f5a9388affb772e3e3
MD5 hash:
18fe03603fef1da9072e5a778fa2da79
SHA1 hash:
d7bbb199679adf7d837a6fc019bd36a37c77a57b
Link:
https://www.unpac.me/results/99a64c7b-3c2d-41bd-a188-b63da243e1ae/
SH256 hash:
78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943
MD5 hash:
66cc22ed167cdaef60b10efd54949ff6
SHA1 hash:
bbe7a39f01333346c8e3bcfbf73e4c484a3bc2cd
Link:
https://www.unpac.me/results/99a64c7b-3c2d-41bd-a188-b63da243e1ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78fbd42e5b8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

zip 9e4411dbb164a26bb03294a5911441ff0aa25a97fc1f961f0b6d1795cdff4971

DarkCloud

Executable exe 78fbd42e5b8ac36090e1765cb86e573a4d8f2c3e1b6339c3e081343e74967943

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/427252/
  
Dropped by
SHA256 9e4411dbb164a26bb03294a5911441ff0aa25a97fc1f961f0b6d1795cdff4971
  
Dropped by
MD5 2d84ab343d6a81a23fdafd58d6af61cf

Comments