MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce
SHA3-384 hash: 1de45d45c1236dfbb71385ed0dc791fd47a7f99c1b63ff2447d02090dc5dd0707f4c1e70895000166e2cd1f122cc2490
SHA1 hash: f53e3fdc1ff1f7312812df3a86fc5f8c086627f5
MD5 hash: 601d022219ce5a476901fa09faaa17b9
humanhash: cola-robert-music-fifteen
File name:Payment_copy_070223.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'098'240 bytes
First seen:2023-02-13 07:07:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:HEawxO5dEkFB6PD3zV0Y1t+Y/2njY2ilnFg5w0VTjqZ:kTsaq6PDRVnI5f2Gy
Threatray 6'027 similar samples on MalwareBazaar
TLSH T1B835221FBBBD9B2DD2994AB434B02970033ABD577452E29E7CD2B4CE0C71B844511AEB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0f2f0f1f271b6931 (13 x AgentTesla, 3 x StormKitty, 2 x Formbook)
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_copy_070223.exe
Verdict:
Malicious activity
Analysis date:
2023-02-13 07:12:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35d31fac-46c5-457e-b961-fe399979882f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/364829/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILMamut.8926.4992.17139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e9e1e655a8f3b961919820/reports/82eda478-573b-4324-8857-93c4545bf2c7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2fa9cd2-fe9e-475e-bacb-18d0526714ce
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1173106
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking volume information)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 805895 Sample: Payment_copy_070223.exe Startdate: 13/02/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 5 other signatures 2->53 7 Payment_copy_070223.exe 7 2->7         started        11 wuqTdjXi.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\wuqTdjXi.exe, PE32 7->37 dropped 39 C:\Users\...\wuqTdjXi.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpE145.tmp, XML 7->41 dropped 43 C:\Users\user\...\Payment_copy_070223.exe.log, ASCII 7->43 dropped 55 Drops PE files to the user root directory 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 61 Writes or reads registry keys via WMI 7->61 13 Payment_copy_070223.exe 4 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 19 7->19         started        21 schtasks.exe 1 7->21         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 67 Found evasive API chain (may stop execution after checking volume information) 11->67 69 Injects a PE file into a foreign processes 11->69 23 wuqTdjXi.exe 11->23         started        25 schtasks.exe 1 11->25         started        27 wuqTdjXi.exe 11->27         started        signatures5 process6 file7 45 C:\Users\Public\vbsqlite3.dll, PE32 13->45 dropped 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 73 Tries to steal Crypto Currency Wallets 23->73 35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-08 02:01:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pqivew5rvwv7wucdhv4iy2uwtrwvkt5uoc266752kpykrue7opha._file
Verdict:
malicious
Similar samples:
20e933700e0a43d79aafad13d07f388775fbc82d732dd00b8eefadaf07b1397f
DarkCloud
4a63d124fccf3d47730bf3b1b9d1befadb2b225b3b38fdacaa135f0800548c6c
DarkCloud
4dd10f8112c4a81bd3904fb8eda3afb7cda488b448479e5e26e36e2c1038fc7f
DarkCloud
66fcc078741968b04e45e850256bcf6f64506fd143a5b9ebf31b5244d423e277
DarkCloud
b866026f749d4e1b366623e22811ca1e7b59c374fd8ec8b8078e06f19c179d51
DarkCloud
c3ef38ad30e651906c7baf059c6ed1df1d76f4b42f4fff1b07e7b1aac7316efa
DarkCloud
d1543ba4cb80a8be6b500b8a1d35a82e85197bc46db79430c8df2dc677054f48
DarkCloud
d6e26fa2f4dcfe5a112c21fb851f626aa7ee8e9f6cac73bd27f927b054f7182d
DarkCloud
fecccddacfc2789e4d1d60fc600b8451643bf26f8877307e119e00774167d581
DarkCloud
+ 6'017 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud stealer
Link:
https://tria.ge/reports/230213-hx815aba2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
DarkCloud
Malware Config
C2 Extraction:
https://api.telegram.org/bot5591938104:AAG3MveHdYmeWAzPZxA96RK2XyyoYB5Z-Gc/sendMessage?chat_id=5411784088
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
3da1d7e935c0b59868a6bf08e2411cbe37fc5c0b372b886dfbb046181730400e
MD5 hash:
7c8f996c5935616614b9024bae246c7d
SHA1 hash:
dfe9327577fddd2b0ef8de9ad28be0c17b65d792
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
01e83081e3b4d0348d91f851b635afab5f132d05fdae96ed070abc5dab84f82e
MD5 hash:
51ff75f6b4c9fae9c7102a2b075c141f
SHA1 hash:
9dc8cea9c90c87af3b4bbbf33621cd0e141f8d38
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
699752a92cac039babf4f48bfcb11ef1d8de684d2135e8f878d9e9327b9352f3
MD5 hash:
5f8a514ba0bb761f1e20b8f384350135
SHA1 hash:
68a6ae3a2cb8550d04bd92657d416e862e345433
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
e386840537170219177c2bb3404f4c7bd9da1a2d53cdf2ae1e857c3b19628a29
MD5 hash:
d170ab8c03b9c37d5be449454db131d2
SHA1 hash:
2031b6754a65d21b47dd11a34fee86f048d6048d
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
SH256 hash:
7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce
MD5 hash:
601d022219ce5a476901fa09faaa17b9
SHA1 hash:
f53e3fdc1ff1f7312812df3a86fc5f8c086627f5
Link:
https://www.unpac.me/results/efe3d911-1039-49a8-96c3-e09f2a1b9c50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 7c11525bb1adabfb50433d788c6a969c6d554fb470b5ef7fba53f0a8d09f73ce

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/364829/

Comments