MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca
SHA3-384 hash: 108ec70f6760dac11b2f85256a9b1a75144977b2b57e0148321b93afadc30997ab046234a20f33e16afeced5b39eaba5
SHA1 hash: d3a12709aa7b736d2754ffc9e4e137554ba8fc06
MD5 hash: 9060261300db67ff94b1deef69451933
humanhash: mississippi-football-harry-king
File name:Entrega de correo de facturación.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:889'344 bytes
First seen:2023-04-21 06:03:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:NxaHbTy8LSR3fNc+/k3+K8nUSCx6Fqs6UTkTv:NYK8LSZG3+dUSS4qsN
Threatray 364 similar samples on MalwareBazaar
TLSH T15C15F1E130276782DB39FEB4222D64351FF252B7E514E56DBE4D20CA3931BC047986EA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkCloud ESP exe geo

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Entrega de correo de facturación.exe
Verdict:
Suspicious activity
Analysis date:
2023-04-21 08:10:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf77678d-38c8-4433-8d4f-ba93e5dc6a79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383900/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64422754f2acc4ba529cfc36/reports/1cf93c16-c43c-48af-9b31-bf2a15529d87/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ac10254-a7e0-4325-b0d3-9d719945c479
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218464
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 22:24:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 31 (51.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjvwxw6louliiqmchtghrnedg6gxep6h7okqknv3tms5qnkod3fa._file
Verdict:
malicious
Similar samples:
0770c0a0a1c36d58fadff0664351bff1ae0cb32129b3cbbc6f1686096e8464b0
DarkCloud
1a37b22c671459258c8f420f9a6934dda93eb9c700ea86f390193dea31316724
DarkCloud
2afc5c73079a55ba80fa508ff696f61367752ea8276def31b99df51cc3b8c085
DarkCloud
375203fdba98876072eda98a7a9ea4b5842ce5c12db292c0986e2af62241b1fb
DarkCloud
416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee
DarkCloud
74c836dfe668140a6936e71347ac8eafd517ec914d7201666081f99c2a6ae846
DarkCloud
9d83a9e060a29f32c19203afbffe3e6b3d22d71ec4779bc7139c0b22a9881e65
DarkCloud
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed
DarkCloud
d89c98d73846067d4468833805f50a5830208fa4e5512b5144ef764b339b264c
DarkCloud
ed79b7d477df4d47af43c7061bdb5e0a952d8870df213eb42f8cfe475e18bd8d
DarkCloud
+ 354 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230421-gsljlagd2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5996552090:AAEM275k6CHYMtVosan4ojg9sUh3Oi7I8wU/sendMessage?chat_id=5069697890
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
d9ccd56963c059f6c0559375032ac18139707a1bcf039d1459ab4041d7209af3
MD5 hash:
4071b3c2d8a5cc563762fcadf2ba98e0
SHA1 hash:
f6829c5c8a339214a56dc1513b088540ba62cd49
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
93e5f70ec0fe052ab9e1292edd1d5a0fccb288b1d3956393663d66e59ba5ea88
MD5 hash:
0cd7f9ad7ea9f05ebd4d96bc5415b41d
SHA1 hash:
c0fe2237e73103fd3b729782c9d73789149b8b4f
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
41a16959d9550379ab5521dc78f4ce9733826c9616c58fdb42821deb8ff5045b
MD5 hash:
6f589aea419010e46543acca7475cefd
SHA1 hash:
00e9eabe239b43a085516fd712f3b6e59417197c
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
SH256 hash:
7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca
MD5 hash:
9060261300db67ff94b1deef69451933
SHA1 hash:
d3a12709aa7b736d2754ffc9e4e137554ba8fc06
Link:
https://www.unpac.me/results/b737f3ab-1467-4369-b46e-61e1b3090ece/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 7a6b6bdbcb75168441823ccc78b483378d723fc7fb950536bb9b25d8354e1eca

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383900/

Comments